Best practices for Google Workspace admins and MSPs in CubeBackup.
CubeBackup provides a straightforward backup & recovery solution to protect your Google Workspace data. In addition to these basic functionalities, you can also review and implement the following best practices to ensure your CubeBackup instance remains secure and functions seamlessly with your custom integration.
Keep a copy of the encryption key file
CubeBackup will generate an encryption key and use it to encrypt all your data before uploading it to the backup repository.
On Windows, the location is C:\Program Files\CubeBackup4\db\keys.json by default.
On Linux, the location is /opt/cubebackup/db/keys.json by default.
As long as the key is still accessible, it is always possible to set up a new CubeBackup instance and point it to your old backups, even in the unfortunate case of a server crash. Detailed instructions can be found here: Disaster recovery of a CubeBackup instance.
Please note that if the key file is lost, your encrypted backup data will be completely unrecoverable. CubeBackup Inc. does not have access to any key files and will be unable to help you.
Store the data index on an SSD
Data indexes are required for performance reasons in CubeBackup. A backup process must perform substantial read and write operations on the SQLite database in order to track backup data, especially file and folder revisions. SQLite is designed to be a local database, and may have performance and integrity problems when accessed through remote storage, especially in a multi-threaded environment.
The backup process relies heavily on reading/writing the data index, and additionally, CubeBackup backs up Google Workspace accounts in parallel, so the data index can easily become a bottleneck. Based on our tests, storing the data index on an SSD can greatly improve backup speeds.
More information about the data index in CubeBackup can be found here: What is the data index and why is it needed?
Schedule email reports of the backup status
For your convenience, CubeBackup will send periodic automated backup status reports so that it's not necessary to constantly sign in to the CubeBackup web console. Email reports will cover the recent backup status, the current backup progress, and the storage and license usage of your CubeBackup instance.
You can configure the receipts and frequency of email reports in the SETTINGS > System > Email reports section. CubeBackup also optionally supports sending email reports using custom SMTP services. See How are email reports generated and sent via SMTP services for detailed instructions.
By default, CubeBackup will generate the reports locally on your backup server and send them from [email protected] using the Mailgun's API. All details and statistical data used to generate the reports remain strictly private.
In addition, CubeBackup also provides hooks for admins to trigger email notifications of specific events. To integrate CubeBackup hooks with your existing system, and trigger email notifications on demand, please see How to push event notifications to your mailbox using CubeBackup hooks.
Enable HTTPS for your CubeBackup service
Keeping your HTTP connection to the CubeBackup service secure is crucial if you wish to access the backups from another machine, or even outside of your office network if allowed by your company's security policy. Enabling HTTPS for the CubeBackup web console provides another layer of protection for all operation requests.
CubeBackup can apply for a Let's Encrypt's free TLS certificate, and also allows you to upload your own certificate, which can be installed on the backup server automatically. For detailed instructions, see How to enable HTTPS/TLS for the CubeBackup web console.
Configure an IP whitelist for your CubeBackup service
CubeBackup allows you to whitelist specific IP addresses to restrict service access. Set your own inbound rules following the instructions at How to configure an IP address whitelist in CubeBackup.
Assign CubeBackup admins with granular role-based access
Best practice to address privacy and security concerns while managing the backups of a relatively large organization is to create multiple CubeBackup accounts with different levels of permissions. You can manage the CubeBackup admins in the SETTINGS > Accounts section.
CubeBackup supports creating operators to help in daily routine management without needing to involve a system administrator. You can also create and manage multiple CubeBackup system administrators with root privileges, to view the audit logs and update system settings. See Types of accounts in CubeBackup for Google Workspace for a full list of CubeBackup admin roles.
Admin permissions can also be configured on a domain basis, which can be very helpful if you are managing multiple Google Workspace domains as an MSP in a single CubeBackup instance.
Enable Google OAuth login
In addition to multiple administrators, individual users can also be allowed to log in to the CubeBackup console using their normal Google accounts to perform self-service recovery operations. It is often advantageous, especially in large organizations, to allow end users to individually find and recover Google Workspace files or emails by themselves.
Detailed instructions can be found here: How can end users recover their own Google Workspace data through Google OAuth Login?
Integrate health check service using CubeBackup hooks
As a self-hosted backup solution, CubeBackup requires you to maintain the backup service on your own machine and deal with the inevitable failures which will occur. A health check service can be invaluable in monitoring your scheduled backups and in setting up alarms to detect issues such as server downtime, backup service crashes, or even just an abnormally long backup task.
CubeBackup hooks can be configured to interact with a health check or heartbeat system to build a reliable and practical service. In this case, CubeBackup will run automatic backups and trigger hooks after each regular backup, which can be used to send check-in requests to your health check system. Backup failures and missed check-in messages can generate alerts in your health check system.
Instructions in How to monitor the backup cron job and integrate the health check service using CubeBackup hooks will guide you through the CubeBackup hook integration with Healthchecks.io. If you need to implement other monitoring services, you can use these instructions as a reference.
Download the diagnostic file before reaching out for support.
Our support team is always available at [email protected] if you have any questions or need assistance. Before reaching out for support, a good practice is to download your diagnostic file and send it to us for reference.
You can do this by logging in to the CubeBackup web console and modifying the URL like this: <domain name/IP>/diagnose.zip (e.g. http://127.0.0.1/diagnose.zip or https://backup.domainname.com/diagnose.zip). This will download a zip file to your local machine.
Upgrade the server hardware before backing up Google Workspace and Microsoft 365 simultaneously
For managed service providers, you may run CubeBackup for Google Workspace and CubeBackup for Microsoft 365 simultaneously on one server. In this case, please be sure to assign at least 8 GB of memory for your backup server before running the two services at the same time. For more detailed information, see Can I back up Google Workspace and Microsoft 365 on one machine at the same time?