diff --git a/lib/db/queries.go b/lib/db/queries.go
index ec48e5b773454e07ea39abe78a0dab70fc4b8b49..41762119afcd7ac040de53c2d15a4dd643708c9c 100644
--- a/lib/db/queries.go
+++ b/lib/db/queries.go
@@ -61,7 +61,7 @@ func InsertShortURL(bucket, key, destURL string, associatedUser *string) error {
 }
 
 // InsertFile inserts a file object into the database.
-func InsertFile(bucket, key, ext, contentType string, contentLength int64, md5Hash string, associatedUser *string) error {
+func InsertFile(bucket, key, ext, contentType string, contentLength int64, md5Hash, sha256Hash []byte, associatedUser *string) error {
 	if !strings.HasPrefix(key, "/") {
 		key = "/" + key
 	}
@@ -73,6 +73,7 @@ func InsertFile(bucket, key, ext, contentType string, contentLength int64, md5Ha
 		contentType,
 		contentLength,
 		md5Hash,
+		sha256Hash,
 		associatedUser)
 	if err != nil {
 		return err
diff --git a/lib/db/sql.go b/lib/db/sql.go
index 9cb9ad0afd01af4dd5ed0325e35f2e8986cb45d9..ee9e34d2e21e00d78edf527129ce7180ac9692dd 100644
--- a/lib/db/sql.go
+++ b/lib/db/sql.go
@@ -36,9 +36,9 @@ VALUES
 
 var insertFile = `
 INSERT INTO
-	objects (bucket_key, bucket, key, random_key, dir, content_type, content_length, md5_hash, associated_user)
+	objects (bucket_key, bucket, key, random_key, dir, content_type, content_length, md5_hash, sha256_hash, associated_user)
 VALUES
-	($1, $2, $3, $4, '/', $5, $6, $7, $8)
+	($1, $2, $3, $4, '/', $5, $6, $7, $8, $9)
 `
 
 var selectUserByUsernameOrEmail = `
diff --git a/lib/routes/uploadpomf.go b/lib/routes/uploadpomf.go
index 7f516ba63d48b67ff65f73ff56b43b29566861ca..cc5fb4b1552f6704a7c25e5226fe4fcdeddd509d 100644
--- a/lib/routes/uploadpomf.go
+++ b/lib/routes/uploadpomf.go
@@ -2,6 +2,7 @@ package routes
 
 import (
 	"crypto/md5"
+	"crypto/sha256"
 	"encoding/hex"
 	"io"
 	"net/http"
@@ -22,7 +23,7 @@ import (
 	"github.com/spf13/viper"
 )
 
-// Maximum memory per upload.
+// Maximum memory per upload before using temporary files.
 const maxMemory = 1000 * 1000 * 50 // 50 MB
 
 // File field name for multipart/form-data.
@@ -55,7 +56,7 @@ type fileResponse struct {
 	Success     bool   `json:"success"`
 	StatusCode  int    `json:"errorcode,omitempty"`
 	Description string `json:"description,omitempty"`
-	Hash        string `json:"hash,omitempty"`
+	Hash        string `json:"hash,omitempty"` // MD5 hash, not SHA256 hash
 	Name        string `json:"name,omitempty"`
 	URL         string `json:"url,omitempty"`
 	Size        int64  `json:"size,omitempty"`
@@ -168,12 +169,13 @@ func UploadPomf(associateObjectsWithUser bool) func(http.ResponseWriter, *http.R
 				continue
 			}
 
-			// Write file to MD5 and to temp file
-			hash := md5.New()
+			// Write file to MD5 and SHA256 hashers and to temp file
+			md5Hash := md5.New()
+			sha256Hash := sha256.New()
 			tempPath := filepath.Join(viper.GetString("pomf.tempLocation"), key+ext)
 			tempFile, err := os.Create(tempPath)
 			if err != nil {
-				log.Error().Err(err).Msg("failed to create destination file")
+				log.Error().Err(err).Msg("failed to create temporary destination file")
 				if len(files) == 1 {
 					panic(apierrors.InternalServerError)
 				}
@@ -185,11 +187,11 @@ func UploadPomf(associateObjectsWithUser bool) func(http.ResponseWriter, *http.R
 				})
 				continue
 			}
-			writer := io.MultiWriter(hash, tempFile)
+			writer := io.MultiWriter(md5Hash, sha256Hash, tempFile)
 			_, err = io.Copy(writer, f)
 			tempFile.Close()
 			if err != nil {
-				log.Error().Err(err).Msg("failed to write to MD5 hasher and temporary path")
+				log.Error().Err(err).Msg("failed to write to hashers and temporary path")
 				err = os.Remove(tempPath)
 				if err != nil {
 					log.Error().Err(err).Msg("failed to delete temporary file after error")
@@ -218,15 +220,16 @@ func UploadPomf(associateObjectsWithUser bool) func(http.ResponseWriter, *http.R
 				panic(apierrors.InternalServerError)
 			}
 
-			// Get MD5 hash digest
-			md5Hash := hex.EncodeToString(hash.Sum(nil))
+			// Get checksums
+			md5Bytes := md5Hash.Sum(nil)
+			sha256Bytes := sha256Hash.Sum(nil)
 
 			// Insert object into database
 			var associatedUser *string
 			if associateObjectsWithUser {
 				associatedUser = &user.ID
 			}
-			err = db.InsertFile(bucket, key, ext, contentType, file.Size, md5Hash, associatedUser)
+			err = db.InsertFile(bucket, key, ext, contentType, file.Size, md5Bytes, sha256Bytes, associatedUser)
 			if err != nil {
 				log.Error().Err(err).Msg("failed to create DB object for file upload")
 				err = os.Remove(destPath)
@@ -247,7 +250,7 @@ func UploadPomf(associateObjectsWithUser bool) func(http.ResponseWriter, *http.R
 
 			fileResponses = append(fileResponses, fileResponse{
 				Success: true,
-				Hash:    md5Hash,
+				Hash:    hex.EncodeToString(md5Bytes),
 				Name:    file.Filename,
 				URL:     key + ext,
 				Size:    file.Size,