diff --git a/solver/secretsprovider.go b/solver/secretsprovider.go
index 3e255bcb..95382e63 100644
--- a/solver/secretsprovider.go
+++ b/solver/secretsprovider.go
@@ -44,6 +44,8 @@ func (s *inputStore) GetSecret(ctx context.Context, id string) ([]byte, error) {
 
 	id = strings.TrimPrefix(id, secretPrefix)
 
+	id = strings.Split(id, ";hash=")[0]
+
 	input, ok := s.st.Inputs[id]
 	if !ok {
 		return nil, secrets.ErrNotFound
diff --git a/state/input.go b/state/input.go
index 6f4500f9..5c75fb08 100644
--- a/state/input.go
+++ b/state/input.go
@@ -1,6 +1,7 @@
 package state
 
 import (
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -197,7 +198,11 @@ func SecretInput(data string) Input {
 type secretInput string
 
 func (i secretInput) Compile(key string, _ *State) (*compiler.Value, error) {
-	return compiler.Compile("", fmt.Sprintf(`{id:%q}`, "secret="+key))
+	hash := sha256.New()
+	hash.Write([]byte(key))
+	checksum := hash.Sum([]byte(i.PlainText()))
+	secretValue := fmt.Sprintf(`{id:"secret=%s;hash=%x"}`, key, checksum)
+	return compiler.Compile("", secretValue)
 }
 
 func (i secretInput) PlainText() string {
diff --git a/tests/core.bats b/tests/core.bats
index 597817e5..a3e7e582 100644
--- a/tests/core.bats
+++ b/tests/core.bats
@@ -145,7 +145,7 @@ setup() {
     # Make sure the secret doesn't show in dagger query
     run "$DAGGER" query mySecret.id -f text
     assert_success
-    assert_output "secret=mySecret"
+    assert_output --partial "secret=mySecret;hash="
 }
 
 @test "compute: docker socket" {