|Managing Mac endpoints / About SafeGuard File Encryption for Mac|
Each encrypted file is encrypted with a randomly generated key called Data Encryption Key (DEK) using algorithm AES-256. This randomly generated and unique DEK is encrypted and stored as a file header together with the encrypted file, increasing the original file size by 4 KB.
The DEK is encrypted with a Key Encryption Key (KEK). This KEK is stored in the central SafeGuard Enterprise database. It will be assigned by the security officer to a single user, to groups or to organizational units.
To decrypt an encrypted file, the user must have the KEK specific to this file in their key ring.