Dynamic and efficient protected file layout

What is claimed is: 1. A system comprising: a processor; and at least one computer-readable medium coupled to the processor, wherein the at least one computer-readable medium comprises instructions that, when executed, cause a computer to: when processing a data file that comprises data nodes and cryptographic nodes that are to be encrypted before being saved in data storage, write data to a selected node among the data nodes; generate a node encryption key for the selected node; encrypt the selected node with the node encryption key; save the node encryption key and a node integrity check value for the node encryption key in a parent cryptographic node; select an ancestor cryptographic node as a next selected node; and repeat the generating, encrypting, saving, and selecting the ancestor cryptographic node operations until the selected ancestor cryptographic node is a root cryptographic node for the data file. 2. The system of claim 1 , wherein if the selected ancestor cryptographic node is the root cryptographic node, the instructions further cause the computer to: generate a root cryptographic node encryption key for the root cryptographic node; and save the root cryptographic node encryption key in a metadata node of the data file. 3. The system of claim 2 , wherein if the selected ancestor cryptographic node is the root cryptographic node, the instructions further cause the computer to: save the encrypted data node of the data file to the data storage; and save each ancestor encrypted cryptographic node associated with the encrypted data node to the data storage. 4. The system of claim 3 , wherein the instructions further cause the computer to: generate a metadata encryption key for the data file; and update the metadata node of the data file. 5. The system of claim 4 wherein the metadata node comprises: an encrypted portion comprising: the root node encryption key; and a root integrity check value for the root node encryption key; and an unencrypted portion comprising: a key identifier; and a metadata integrity check value; and the instructions to update the metadata node further cause the computer to: create the key identifier; generate the metadata encryption key using the key identifier; generate the metadata integrity check value for the metadata encryption key; encrypt the encrypted portion of the metadata node with the metadata encryption key; and save the key identifier and the metadata integrity check value in the unencrypted portion of the metadata node. 6. The system of claim 5 , wherein the operation of writing data to the selected node among the data nodes comprises saving the data in the selected data node. 7. The system of claim 6 , wherein the instructions to generate the root cryptographic node encryption key further cause the computer to generate the root cryptographic node encryption key from a sealing key of a secure enclave comprising the instructions. 8. A method comprising: when processing a data file that comprises data nodes and cryptographic nodes that are to be encrypted before being stored to data storage, write data to a selected node among the data nodes; generating a node encryption key for the selected node; encrypting the selected node with the node encryption key; saving the node encryption key and a node integrity check value for the node encryption key in a parent cryptographic node; selecting an ancestor encrypted cryptographic node as a next selected node; and repeating the generating, encrypting, saving, and selecting the ancestor cryptographic node operations until the selected ancestor cryptographic node is a root cryptographic node for the data file. 9. The method of claim 8 , wherein if the selected ancestor cryptographic node is the root cryptographic node: the operation of generating the node encryption key comprises generating a root node encryption key for the root cryptographic node; and the operation of saving the node encryption key comprises saving the root node encryption key in a metadata node of the data file. 10. The method of claim 9 , wherein if the selected ancestor cryptographic node is the root cryptographic node, the method further comprises: saving the encrypted data node of the data file to the data storage; and saving each ancestor encrypted cryptographic node associated with the encrypted data node to the data storage. 11. The method of claim 10 , further comprising: generating a metadata encryption key for the data file; and updating the metadata node of the data file. 12. The method of claim 11 wherein the metadata node comprises: an encrypted portion comprising: the root node encryption key; and a root integrity check value for the root node encryption key; and an unencrypted portion comprising: a key identifier; and a metadata integrity check value; and the operation of updating the metadata node further comprises: creating the key identifier; generating a metadata encryption key using the key identifier; generating the metadata integrity check value for the metadata encryption key; encrypting the encrypted portion of the metadata node with the metadata encryption key; and saving the key identifier and the metadata integrity check value in the unencrypted portion of the metadata node. 13. The method of claim 12 , wherein the operation of writing data to the selected node among the data nodes comprises saving the data in the selected data node. 14. The method of claim 13 , wherein the operation of generating the root cryptographic node encryption key further comprises generating the root cryptographic node encryption key from a sealing key of a secure enclave comprising the instructions. 15. At least one non-transitory computer-readable medium comprising instructions that, when executed by a processor, cause a computer to: when processing a data file that comprises data nodes and cryptographic nodes that are to be encrypted before being stored to data storage, write data to a selected node among the data nodes; generate a node encryption key for the selected node; encrypt the selected node with the node encryption key; save the node encryption key and a node integrity check value for the node encryption key in a parent cryptographic node; select an ancestor cryptographic node as a next selected node; and repeat the generating, encrypting, saving, and selecting the ancestor encrypted cryptographic node operations until the selected ancestor cryptographic node is a root cryptographic node for the data file. 16. The at least one computer-readable medium of claim 15 , wherein if the selected ancestor cryptographic node is the root cryptographic node, the instructions cause the computer to: generate a root cryptographic node encryption key for the root cryptographic node; and save the root cryptographic node encryption key in a metadata node of the data file. 17. The at least one computer-readable medium of claim 16 , wherein if the selected ancestor cryptographic node is the root cryptographic node, the instructions further cause the computer to: save the encrypted data node of the data file to the data storage; and save each ancestor cryptographic node associated with the encrypted data node to the data storage. 18. The at least one computer-readable medium of claim 17 , wherein the instructions further cause the computer to: generate a metadata encryption key for the data file; and update the metadata node of the data file.