When using Client-Side Encryption (CSE) with Virtru Private Keystore, label groups control who can access encrypted files. Each classification label (e.g., classification-general, classification-hr) must be tied to a Google Group that defines which users can apply and open files with that label.
This article explains how to create a label group and configure it for use with CSE.
Step 1: Plan Your Label Strategy
Before creating a group, decide:
- Will this be a general access label (open to everyone in the organization)?
- Or will it be a restricted label (limited to specific departments or sensitivity levels)?
Example label groups:
-
classification-general→ Everyone in the org -
classification-hr→ Only HR team members -
classification-finance→ Only Finance team members
Step 2: Create a Google Group
- Sign in to the Google Admin console.
- Go to Groups > Create Group.
- Enter the following details:
-
Group name: Must exactly match the label you’ll assign in the Admin console (e.g.,
classification-hr). -
Group email: Auto-generated (e.g.,
classification-hr@yourdomain.com). - Description: Add context (e.g., “This group controls access to HR encrypted files.”).
-
Group name: Must exactly match the label you’ll assign in the Admin console (e.g.,
- Set Group access level to Restricted (only group members can see who’s in the group).
- Click Create Group.
Step 3: Add Members to the Group
- After the group is created, click on the group name.
- Go to Members > Add Members.
- Add the appropriate users (HR staff, Finance team, Legal team, etc.).
Important: CSE labels do not support nested groups.
- You must add users individually or via a top-level group.
- Nested groups inside
classification-<label-name>will not work.
Step 4: Assign the Group to a Label
- In the Admin console, go to:
Security > Access and data control > Label manager. - Select the label you want to configure.
- Under Label permissions > Advanced permissions, add the Google Group you created.
-
Set the appropriate permission level:
- Can apply labels and set values → Members can apply the label to encrypted content.
- Restricted access → Only members of the group can see or use the label.
- Click Save.
Step 5: Test the Label Group
- Create a new encrypted file in Google Drive.
- Apply the label tied to your new group.
- Verify that:
- Members of the group can open and edit the file.
- Non-members are unable to access it.
Best Practices
-
Start with a General Group: Create a
classification-generalgroup for org-wide access, ensuring all users can access existing encrypted content. - Use Specific Groups for Sensitive Data: Create restricted groups for HR, Finance, Legal, or Executive teams.
- Audit Membership Regularly: Remove users who no longer need access to sensitive label groups.
- Train Users: Communicate clearly how and when to apply labels to encrypted files.
Summary
Creating a label group ensures encrypted files are accessible only to the right users in your organization. Each classification label must correspond to a Google Group that defines who can apply the label and decrypt its content.
By planning your labels and groups carefully, you can balance usability and security in your Virtru Private Keystore deployment.