diff --git a/solver/secretsprovider.go b/solver/secretsprovider.go
index 3e255bcb..95382e63 100644
--- a/solver/secretsprovider.go
+++ b/solver/secretsprovider.go
@@ -44,6 +44,8 @@ func (s *inputStore) GetSecret(ctx context.Context, id string) ([]byte, error) {
 
 	id = strings.TrimPrefix(id, secretPrefix)
 
+	id = strings.Split(id, ";hash=")[0]
+
 	input, ok := s.st.Inputs[id]
 	if !ok {
 		return nil, secrets.ErrNotFound
diff --git a/state/input.go b/state/input.go
index 6f4500f9..3188f000 100644
--- a/state/input.go
+++ b/state/input.go
@@ -1,6 +1,7 @@
 package state
 
 import (
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -196,8 +197,12 @@ func SecretInput(data string) Input {
 
 type secretInput string
 
-func (i secretInput) Compile(key string, _ *State) (*compiler.Value, error) {
-	return compiler.Compile("", fmt.Sprintf(`{id:%q}`, "secret="+key))
+func (i secretInput) Compile(key string, s *State) (*compiler.Value, error) {
+	hash := sha256.New()
+	hash.Write([]byte(key))
+	checksum := hash.Sum([]byte(s.Inputs[key].Secret.PlainText()))
+	secretValue := fmt.Sprintf(`{id:"secret=%s;hash=%x"}`, key, checksum)
+	return compiler.Compile("", secretValue)
 }
 
 func (i secretInput) PlainText() string {