A one-way function that turns any input into a fixed-size fingerprint
A cryptographic hash is a one-way function that takes an input of any size and returns a fixed-size fingerprint — a short value that changes wildly if even one bit of the input changes.
Three properties make it “cryptographic,” not just any hash. Pre-image resistance: given a hash, you can’t feasibly find an input that produces it. Second-pre-image resistance: given an input, you can’t feasibly find a different input with the same hash. Collision resistance: you can’t feasibly find any two inputs that hash to the same value. Older functions like MD5 and SHA-1 have failed collision resistance and should never be used for anything security-sensitive. The current workhorses are SHA-256 and SHA-512 from the SHA-2 family (FIPS 180-4), with BLAKE3 and SHA-3 as modern alternatives.
Backup systems lean on hashes constantly. They identify content so deduplication can recognise that two files share the same 4 MB chunk. They detect bit-rot, because a single flipped bit on a failing SSD produces a completely different hash. They bind pieces of a repository together so tampering anywhere in the chain is detectable.
In macup, every chunk written to your repository carries a cryptographic hash. That fingerprint is how verification catches a corrupted block on a dodgy external drive, and how dedup knows the 18 MB Xcode build artefact in your Desktop backup is the same one already stored from your Documents backup.