One property of message digests is that they are predictable, yielding the same result every time they are hashed from the same data. To help protect against someone recomputing the message digest along with an unauthorized change to the data, you can provide a secret key for the algorithm to hash a value that is unique to both the data and the key. This value is a type of message authentication code (MAC). You cannot easily recreate a MAC without knowing the secret key.
You can use any value for the key that you choose or use the built-in key generation functions to generate a key for you (see
Generatingencryption keys). If you store the secret key securely, like any cryptographic key, this results in a secure message digest.