The design of a secure file system based on user controlled cryptographic (UCC) transformations is investigated. With UCC transformations, cryptography not only complements other protection mechanisms, but can also enforce protection specifications. Files with different access permissions are enciphered by different cryptographic keys supplied by authorized users at access time. Several classes of protection policies such as: compartmentalized, hierarchical, and data dependent are discussed. Several protection implementation schemes are suggested and analyzed according to criteria such as: security, efficiency, and user convenience. These schemes provide a versatile and powerful set of design alternatives.