Securing Scientific Data: Bringing Native Encryption to HDF5

Name: H5+
Author: Lifeboat

Apr 8
3 min read

The Growing Need for Data Protection in HDF5

For more than two decades, HDF5 has been a foundational technology for managing complex

scientific and engineering data. It powers workflows across high-performance computing (HPC),

cloud platforms, and advanced research environments.

However, as data has become more valuable—and more sensitive—the limitations of HDF5

have become increasingly clear. The format is open by design, which is one of its greatest strengths. But that same openness means that anyone with access to a file can inspect its

contents using standard tools or even simple scripts.

For organizations working with medical, financial, aerospace, or proprietary data, this creates a

serious challenge:

How do you protect sensitive data without breaking existing workflows?

Why Traditional Approaches Fall Short

Historically, attempts to add encryption to HDF5 focused on filters applied to dataset chunks.

While useful in limited cases, this approach had major drawbacks:

It only protected subset of data (not metadata)
It didn’t work across all storage layouts
It failed to provide end-to-end protection
Variable-length data is stored as metadata and doesn’t work with filters

Another common workaround has been full-file encryption outside of HDF5. But this introduces

a different problem:

Data must be fully decrypted before use — leaving it exposed during computation.

What users have long needed is a solution that provides continuous protection without

sacrificing HDF5 functionality.

A New Approach: Encryption at the VFD Layer

The solution is to move encryption below the HDF5 API, into the Virtual File Driver (VFD) layer.

By implementing encryption as a pluggable VFD, we achieve something powerful:

Applications continue to use standard HDF5 APIs
Data is automatically encrypted/decrypted during I/O
No application changes are required

This design leverages HDF5’s modular architecture while keeping encryption completely

transparent to users.

How It Works

At the core of the solution is a page-based encryption model:

The HDF5 file is divided into fixed-size pages
Each page is encrypted independently
I/O operations map between plaintext and ciphertext pages

This approach enables:

Random access to encrypted data
Efficient partial reads and writes
Compatibility with parallel and distributed systems

In practice, when an application reads data:

The VFD locates the encrypted page
Decrypts it in memory
Returns it as normal HDF5 data

All of this happens behind the scenes.

Supported Encryption Algorithms

The implementation supports industry-proven symmetric encryption algorithms:

Advanced Encryption Standard (AES) — widely adopted standard used across government and industry
Twofish — a high-performance alternative with strong security properties

This flexibility allows users to choose the right balance between performance, security, and compliance requirements. More algorithms will be added in the future releases.

Built for Modern Data Environments

This solution is designed for today’s computing landscape:

HPC systems — supports parallel I/O and large-scale workloads
Cloud storage — compatible with object storage and remote access patterns
Distributed systems — enables secure data sharing across environments

Importantly, it protects data in two critical states:

At rest (on disk or in storage systems)
In transit (moving across networks or between systems)

Seamless Integration, Zero Disruption

One of the biggest advantages of this approach is how easy it is to adopt:

No changes to existing applications
Works with standard HDF5 tools
Delivered as a plugin

This means organizations can add encryption to existing workflows immediately, without

rewriting code or retraining users.

From Research to Product: H5+

This capability is now fully implemented and is released as part of Lifeboat’s H5+ product suite.

H5+ extends HDF5 with:

Advanced I/O capabilities
Multi-threaded performance
Pluggable storage and format connectors
And now—native encryption

Together, these features transform HDF5 into a modern, secure, and extensible data platform.

Enabling the Next Generation of Secure Data Workflows

As data privacy, security, and compliance become increasingly important, scientific and

enterprise systems must evolve.

By bringing encryption directly into the HDF5 I/O layer, this solution:

Eliminates a major barrier to adoption in sensitive domains
Enables secure collaboration and data sharing
Preserves performance and usability

In short, it allows organizations to use HDF5 with confidence—without compromising on privacy.

Breaking Down Data Silos in Earth Science: A New Approach with HDF5 VOL Connectors

Earth science data is rich, complex—and fragmented. From satellite imagery stored in GeoTIFF, to atmospheric models in GRIB2, to observational data in BUFR and CDF, scientists must navigate a landscap

Lifeboat, LLC Shares HDF5 Innovations at EHUG25, ISC25, and SC25

Lifeboat, LLC will co-organize and present at the European HDF5 User Group Meeting, taking place May 26–28, 2025, at DESY in Hamburg, Germany. The event will feature expert talks, community presentati

Protecting the Confidentiality and Integrity of Data Stored in HDF5