Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Reference: How Google CSE Labels Work

  • Updated

Google Workspace offers powerful security tools to help organizations maintain control over their sensitive data. One such tool is Client-Side Encryption (CSE) — which allows files to be encrypted in the browser before being stored in Google Drive, ensuring that only authorized users can decrypt and access the content — not even Google or Virtru can read it.

A key component of CSE is labels, which enable organizations to apply encryption policies based on content classification. In this article, we’ll walk you through how CSE labels work and how they enforce access control in your organization.

Important Note:

  • Users must be added individually to the group associated with the label.
    • Nested groups are not supported — users in subgroup(s) will not inherit access. 
  • Group names must follow the required format:
    • classification-<label-value>@yourdomain.com
  • Label names must match <label-value> in your classification google group name.
  • CSE labels require Google Group names to follow the format classification-<label-value>, which must align with the corresponding Drive Label used to classify CSE content. Once Drive Label integration is enabled, the Virtru Private Keystore will evaluate all group names matching this prefix format and verify them against both the file author and the intended recipients. If a CSE file does not have a Drive Label that matches a properly formatted Google Group name, access to the file will be denied until the correct Drive Label is applied.

What Are Google CSE Labels?

CSE labels are classification tags that Google Workspace administrators create and map to encryption policies. When a user applies a label to a file (either manually or automatically via DLP), it can trigger CSE and apply group-based access control using a third-party key management service (Virtru).

How Does CSE Labels Work?

Here’s a step-by-step breakdown:

  1. Admin Creates a Label
    In the Google Admin console, the admin defines custom labels (e.g., "Confidentiality", "Department Classification") with values like "Top Secret", "HR Confidential", etc.

  2. Admin Maps Labels to Encryption Policies
    In Google Admin Console: Under Security > Access and data control > Label manager, the admin configures which label values trigger encryption and which Google Groups can decrypt the content. 

    Important Note:

    Google requires that these groups follow a specific naming format for compatibility with CSE:classification-<label-value>@yourdomain.com For example, for a label value of confidential, the group should be:classification-confidential@yourdomain.com

  3. User Applies the Label
    Users apply the label to their Google Docs, Sheets, Slides, etc. — either manually or automatically through Drive DLP scanning rules.

  4. File Is Encrypted
    If the label matches a CSE-mapped value, the file is encrypted client-side using an external key service (Virtru), and only users in the allowed group can decrypt and open the file.

Example 1: Simple Sensitivity Labeling

  • Label Name: Confidential

  • Label Values and Access Configuration:
Label Name Encryption Enabled Access Group Label Value
Public ❌ No
Confidential ✅ Yes classification-confidential@yourdomain.com confidential
Top Secret ✅ Yes classifiations-topsecret@yourdomain.com topsecret

How It Works:

  • A file labeled Top Secret is encrypted.
  • Only users in the classifiations-topsecret@yourdomain.com group can open and decrypt it.
  • Anyone else will see an error like: “You don’t have permission to decrypt this file.”

Example 2: Department-Based Classification

This example highlights how teams in different departments can have access to their own confidential materials using unique label mappings.

  • Label Name: Department Classification

  • Values and Mappings:

Label Name Encryption Enabled Access Group Label Value
HR Confidential ✅ Yes classification-hrconfidential@company.com hrconfidential
Legal Restricted ✅ Yes classification-legal-team@company.com legal-team
Engineering IP ✅ Yes classification-engineering@company.com  engineering

 

Use Case:

  • Alice (HR) applies the HR Confidential label to a Google Doc.
    → File is encrypted and only classification-hrconfidential@company.commembers can open it.
    Bob (Legal) tries to access it → ❌ Access Denied.

  • Bob (Legal) labels a contract as Legal Restricted.
    → File is encrypted and only classification-legal-team@company.commembers can view it.
    Carol (Engineer) tries to access it → ❌ Access Denied.

  • Carol (Engineer) applies Engineering to her product designs.
    → Encrypted with CSE and viewable only by classification-engineering@company.com.

How Access Is Enforced

When a user tries to open a CSE-encrypted file:

  1. Google detects the label applied to the file.

  2. It queries the external Key Access Service (KAS) (e.g., Virtru) to check if the user is allowed to access the decryption key.

  3. The KAS:

    • Confirms whether the user's email is in a mapped Google Group.

    • If yes → The key is released, and decryption happens in the browser.

    • If no → Access is denied.

Summary Matrix

File Label Access Group Label Can Alice (HR) Can Bob (Legal) Can Carol (Engineer)
HR Confidential classification-hrconfidential@company.com hrconfidential ✅ Yes ❌ No ❌ No
Legal Restricted classification-legal-team@company.com legal-team ❌ No ✅ Yes ❌ No
Engineering IP classification-engineering@company.com engineering ❌ No ❌ No ✅ Yes


Key Takeaways

  • Client-Side Encryption (CSE) ensures data is encrypted before it leaves the user’s device.

  • Label values must be mapped to Google Groups using the naming format: classification-<label-value>@yourdomain.com

  • Labels + Group Mapping control who can decrypt specific files.

  • Access is denied if a user is not in the group tied to the label.

  • Drive DLP rules can be used to apply labels automatically based on file content.

Google CSE labels provide a seamless and secure way to classify and protect sensitive data — without burdening end users. By using a combination of labels, group-based permissions, and client-side encryption, your organization can ensure that sensitive content is only accessible to the right people.

 

Related articles