Help Center / The local evidence vault

The local evidence vault

Capture proof for each control without ever moving a file off your machine. Bastion records what the evidence is and computes a SHA-256 hash in your browser — then discards the bytes.

On this page

References vs. attached files
Add an evidence reference
Attach & hash a file
What's stored vs. discarded
Why hash and not upload?
Evidence in the index & redaction
Re-verifying a file (roadmap)

1. References vs. attached files

Each control has its own evidence vault. An evidence item can be one of two kinds:

Reference — a name, type, and location/link pointing to where the evidence lives (a SharePoint path, a ticket, a document title). No file is involved.
Attached file — you pick an actual file; Bastion hashes it locally and records the filename, size, and SHA-256. The file itself stays on your machine.

2. Add an evidence reference

On the Assessment tab, open a control and find its evidence vault section.

Click "+ Evidence." A new item appears.

Fill in Name, Type, and Location / link. Type options: policy, procedure, plan, screenshot, config, log, record, other.

Named evidence is what satisfies the completeness lint for a Met control and what populates your SSP's evidence references.

3. Attach & hash a file

On an evidence item, click "📎 Attach & hash file."

Pick a file. Bastion reads it in your browser, computes its SHA-256 digest with the Web Crypto API (SubtleCrypto), and shows a badge with the filename, size, and the first 16 hex characters of the hash.

Done. The file's bytes are immediately discarded — only the filename, size, and full hash are kept. To remove the linkage, click Detach file.

The hint under the attach button says it plainly: "Hashed in your browser — the file never leaves this machine." There is no upload, no server call, nothing transmitted.

4. What's stored vs. discarded

Stored (in localStorage)	Discarded (never stored, never sent)
Filename	The file's contents / bytes
File size (bytes)	Any copy of the file
SHA-256 hash (full)	—
Your reference name, type, location text	—

Because only the hash is stored, attaching evidence adds almost no size to your assessment data, and there's never a copy of CUI sitting in your browser storage.

5. Why hash and not upload?

A SHA-256 hash is a fixed-length fingerprint of a file's exact bytes. It serves two purposes here:

Integrity proof. An assessor can re-hash the actual file you hand them (inside your boundary) and compare it to the hash in your evidence index. A match proves it's the exact file you assessed against — unchanged.
Zero CUI egress. The hash reveals nothing about the file's contents, so it's safe to include in an exported index even when the file itself is CUI. The real file is shared separately, through your own secure channel.

6. Evidence in the index & redaction

All evidence items flow into the bundle's evidence index. In a redacted export, operator-typed reference names and locations are masked as [REDACTED], but attached-file filenames and hashes are kept — they're structural integrity facts an assessor needs, and the hash itself discloses no CUI.

7. Re-verifying a file (roadmap)

Roadmap. A one-click re-verify file action — re-selecting a file later to confirm its hash still matches the stored one — is planned but not yet in the app. Today you can verify manually: re-hash the file with a tool like shasum -a 256 yourfile and compare it to the hash shown on the evidence item (or in the evidence index). If they match, the file is unchanged.

Next: Assessment versioning Back to Help Center