File systems may use encryption to protect data written to storage devices. Data is written to storage devices in encrypted form so that the raw data stored in the storage devices is unrecognizable. With this protection mechanism, access to the storage device alone is not enough to read the data stored in the storage device. Before the data can be recognizable and usable, the data has to be first decrypted with a proper key.
The encryption functionality may be provided using an encryption filter that is external to the file system. Specifically, the encryption filter is placed in the IO (input-output operation) path between an application issuing the IO and the file system driver. When write IOs targeting encrypted files are issued, the write data are encrypted before the file system driver processes the write IOs. When read IOs targeting encrypted files are issued, data are read in encrypted form from the storage device and decrypted before they are returned as read data.
To track files that have been designated for encryption, a filter driver is employed. The filter driver lies in the IO path between the application issuing the IO and the encryption filter. If a file targeted in a write IO is designated for encryption, the filter driver employs the encryption filter to encrypt the write data. Similarly, if a file targeted in a read IO is designated for encryption, the filter driver employs the encryption filter to decrypt the data read from the storage device before returning the data to the application as read data.
A file that is known to contain all zeros may be designated for no encryption because the encryption filter would consume processing resources unnecessarily because zeroes do not need to be protected. For sparse files, the same is true for file blocks that have yet to be allocated. However, when the encryption functionality is implemented using an encryption filter and associated filter driver, which are external to the file system, it is difficult to implement the optimization for file blocks of sparse files with zeroes because a file allocation bitmap that indicates which file blocks contain zeroes is maintained by the file system and is not readily available outside the file system.