After enabling Client-Side Encryption (CSE) labels with Virtru Private Keystore (VPK), it’s important to test your configuration. Testing ensures that encrypted content is labeled correctly and that access controls are working as intended.
This article walks you through how to validate label-based encryption in Google Drive.
Step 1: Confirm Your Label and Group Setup
- In the Google Admin console:
- Go to Security > Access and data control > Label manager.
- Verify your labels are published and available (e.g.,
classification-general,classification-hr).
- In Groups:
- Confirm each label has a corresponding Google Group with matching name (
classification-<label-name>). - Ensure the right users are added to each group.
- ⚠️ Note: Nested groups are not supported — users must be added individually or at the top-level group.
- Confirm each label has a corresponding Google Group with matching name (
Step 2: Create a Test Encrypted File
- Log in as a test user who is in the
classification-generalgroup. - Open Google Drive → Click New > Google Doc.
- Go to File > Labels > + Apply label.
- Select the label you want to apply (e.g.,
classification-general). - Add sample text and click Save.
Step 3: Verify Access for Authorized Users
- Share the encrypted file with another user in the same label group.
- Have them open the file in Drive.
- Expected result: They can open, view, and edit the encrypted file without issues.
- The file will show the applied label in the Drive UI.
Step 4: Verify Restrictions for Unauthorized Users
- Share the same encrypted file with a user who is not in the label group.
- Have them attempt to open the file.
- Expected result: They will receive an error or access denied message, as they are not part of the required label group.
Step 5: Test Multiple Labels (If Configured)
- If you have restricted labels (e.g.,
classification-hr,classification-finance), repeat steps 2–4 with users inside and outside those groups. - Validate that:
- Group members can access encrypted files.
- Non-members cannot.
Step 6: Apply Labels to Existing Content
- Pick a file that was encrypted before labels were enabled.
- Apply a label (e.g.,
classification-general). - Confirm that authorized users can now access the file.
- This confirms that older encrypted content is accessible once labeled.
Best Practices
-
Use a General Label for Testing: Start with
classification-generalto ensure org-wide access works. - Document Test Results: Keep a record of which labels were tested, which users could access, and which were denied.
- Communicate with End Users: Train users to always select the correct label when encrypting new files.
- Review Groups Regularly: Ensure group memberships are kept current as employees change roles.
Summary
Testing label encryption ensures your Virtru Private Keystore and Google Workspace setup is working as expected. By validating both authorized access and denied access, you confirm that labels enforce the intended security controls.
Once testing is complete, you can confidently roll out CSE labels across your organization.