When using labels in Google Workspace with Virtru Private Keystore (CSE), you’ll need to decide what happens to a label when a user makes a copy of a labeled file. This is controlled by the copy behavior settings in the Label Manager.
Choosing the right setting is critical for ensuring encrypted content remains properly classified while balancing usability and access.
When you create or configure a label in Google Admin > Label Manager, you can choose how labels behave if a user makes a copy of a labeled file:
1. Always copy label
- What it does:
- Labels and their values are always copied to the new file — even if the user making the copy does not have permission to apply that label.
- Use case:
- Environments that require strict continuity of classification.
- Example: If a file is labeled Confidential – Finance, any copy of that file will also retain the Confidential – Finance label, no matter who makes the copy.
- CSE impact:
- Ensures that sensitive files remain encrypted under the same access rules, even if copied.
- May result in users ending up with copies of files that they can’t open if they don’t belong to the assigned label group.
2. Copy label if user can apply (Default)
- What it does:
- Labels and values are only copied if the user has permission to apply that label.
- If the user doesn’t have access, the copy is created without a label.
- Use case:
- Balanced approach: maintains access rules without creating inaccessible copies.
- Example: An HR file labeled classification-hr will only retain that label if copied by someone in the HR group. If a Marketing user copies it, the copy won’t carry the HR label.
- CSE impact:
- Prevents unauthorized propagation of restricted labels.
- Keeps encryption aligned with organizational group permissions.
3. Don’t copy label
- What it does:
- Labels are not carried over to the copied file at all.
- Every copy starts without a label, requiring the user to apply one manually.
- Use case:
- Organizations that want users to consciously classify every new file, even if it’s based on an existing one.
- Example: If a Confidential file is copied, the new version will be unlabeled until the user assigns one.
- CSE impact:
- Without a label, the new copy cannot be accessed if encryption is enforced.
- Requires strong user training to ensure compliance and usability.
Best Practice Recommendations
- Most Organizations: Use “Copy label if user can apply” to balance security with usability.
- Highly Regulated Environments: Use “Always copy label” to guarantee classification continuity, but be aware that some users may create inaccessible copies.
- Strict Governance / Training Environments: Use “Don’t copy label” only if you have strong compliance processes in place and want to force deliberate labeling decisions.
Quick Comparison
| Setting | Behavior | Best For |
|---|---|---|
| Always copy label | Label persists on every copy, regardless of permissions | High-security / regulated industries |
| Copy label if user can apply | Label persists only if copier has rights | General use, balanced environments |
| Don’t copy label | No label copied; user must reapply manually | Strict governance, compliance-first orgs |
Summary
The copy behavior setting you choose affects how encrypted content is managed in your organization.
- Always copy = continuity of classification.
- Copy if user can apply = balance between access and control.
- Don’t copy = strict enforcement requiring user action.
Carefully consider your security policies and user workflows when selecting the right option for your deployment.