This article explains what configuring label means for your organization and what to consider when rolling them out.
With Virtru Private Keystore (VPK) for Google Workspace, your organization gains powerful control over encrypted content through Client-Side Encryption (CSE) labels. Once labels are enabled for your environment, they become a required part of your encryption workflow—replacing the basic “generic encryption” option that was previously available.
What Happens Once Labels Are Enabled
- No return to generic encryption: After labels are configured, every encrypted document—new or existing—must have a label applied. Generic encryption is no longer supported.
- Access to older content: Documents that were created before labels were configured will require a label before they can be accessed. Without a label, users won’t be able to open previously encrypted files.
- New content: Going forward, any new encrypted file must have a label applied at the time of creation.
How to Apply Labels
You have flexibility in how you assign and manage labels:
-
General Access Labels: Create a broad classification label (e.g.,
classification-general) that grants access to everyone in the organization. This ensures universal access to previously created documents. -
Restricted Access Labels: Create multiple labels for different business groups or sensitivity levels (e.g.,
classification-finance,classification-hr). These can be mapped to Google Groups for more granular access control.
Important Considerations
-
No nested group support: CSE labels do not support nested groups. Users must be added to the
classification-<label-name>Google Group individually. Nested groups within these classification groups are not supported at this time. - Plan label strategy early: Because labels will apply to both existing and new encrypted content, it’s critical to decide whether you’ll start with one general label for everyone or immediately roll out a set of restricted labels.
- User experience: Once labels are enabled, users will always be required to apply a label when encrypting content. Consider providing internal training or documentation to guide your team.
Example Rollout Strategies
-
Single General Label (Quick Access)
- Apply one general label to cover the entire organization.
- Benefits: Fast deployment, ensures legacy content remains accessible.
- Best for: Organizations just beginning with CSE.
-
Multiple Restricted Labels (Granular Control)
- Create labels tied to business units, departments, or sensitivity levels.
- Benefits: Stronger data governance, fine-grained access control.
- Best for: Organizations with mature compliance and security needs.
Summary
Once CSE labels are enabled for your organization, labels become mandatory for all encrypted files. Older files require retroactive labeling, and new files must include a label at creation. Planning ahead—whether you choose a general label for simplicity or multiple restricted labels for precision—ensures a smooth transition and minimizes disruption.