Systems and methods are provided for encrypting data without regard to applications writing the data to, or reading the data from, encrypted data storage devices. An operating system intercept detects information indicating that a file will be encrypted and, in respond, sets device-level flags indicating encryption and also establishes one or more encryption keys to be used in the encryption process. A second intercept detects an input/output event and, in response, calls an encryption application to encrypt (or decrypt) the data before it is written to (or read from) the data storage device.