Initial Configuration on Linux


This article will guide you through the initial configuration of CubeBackup on Linux. If you are using CubeBackup on Windows or Docker container, please refer to Initial Configuration on Windows or Initial Configuration using Docker.

1. Open the CubeBackup web console

After CubeBackup has been successfully installed, the script will display the URL for the web console. Web Console URL

The default web console address is http://<server_ip>, assuming no other web services are running before CubeBackup. If port 80 is already in use, you will be asked to enter another port for the CubeBackup web console. New port required

TIPS:

  • To uninstall CubeBackup:

    /opt/cubebackup/bin/cbsrv uninstall
    
  • To get more information of the cbsrv command:

    /opt/cubebackup/bin/cbsrv --help
    
  • The web console can be accessed using the above URL through any browser within your network.

  • If permitted by your company’s firewall policy, it can also be accessed from outside your network at http://<server_external_ip>:<port>

2. Set backup location

CubeBackup allows you to backup G Suite data to either on-premises storage or your private Amazon S3 cloud storage.

NOTE: Please ensure the backup location has enough available space to store all employee data in your G Suite domain, including any future backups. Because Google does not always report the size of all files stored and does not even count some files when totaling storage, and since CubeBackup itself keeps a revision history of files, a good rule of thumb is reserve 2x the estimated data size for your domain. For example, if there are 100 users in your G Suite domain and each user has 10GB of data on average, there should be at least 100 * 10GB * 2 = 2TB of space available for the backup.

Currently, CubeBackup allows you to store backups on a local disk, network storage, or private Amazon S3 storage.

2.1 Backup G Suite data to a local disk

Backup GSuite locally

Storage type: Select “Local disk” from the dropdown list.

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a local disk when backing up G Suite data.

TIP: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. We strongly recommend to store data index on a local SSD storage. More information can be found at What is the data index.

Backup path: Select a local directory for the G Suite backup data.

Encrypt backups: If you want your backups to be stored encrypted, make sure the “Encrypt backups” option is checked.

Tips for Backup Encryption:

  1. This option cannot be changed after the initial configuration.
  2. Data transfer between the Google Cloud and your storage is always HTTPS/SSL encrypted, whether this option is selected or not.
  3. Encryption may slow down the backup process by around 10%, and cost more CPU cycles.

When all information has been entered, click Next to continue.

2.2 Backup G Suite data to a NAS, SAN, file server, or data center

Backup GSuite to NAS

Storage type: Select “Mounted network storage” from the dropdown list.

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a local disk when backing up G Suite data.

TIP: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. We strongly recommend to store data index on a local SSD storage. More information can be found at What is the data index.

Network storage path: Select a mounted network location as the backup storage.

Encrypt backups: If you want your backups to be stored encrypted, make sure the “Encrypt backups” option is checked.

Tips for Backup Encryption:

  1. This option cannot be changed after the initial configuration.
  2. Data transfer between the Google Cloud and your storage is always HTTPS/SSL encrypted, whether this option is selected or not.
  3. Encryption may slow down the backup process by around 10%, and cost more CPU.

When all information has been entered, click Next to continue.

2.3 Backup G Suite Data to private Amazon S3 storage

Backup to Amazon S3

Storage type: Select “Amazon S3” from the dropdown list.

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a local disk when backing up G Suite data.

TIP: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. We strongly recommend to store data index on a local SSD storage. More information can be found at What is the data index.

S3 Bucket: Before you can backup Google Drive, Team Drive, Contacts, Calendar and Sites data to Amazon S3, you will first need to create and configure an private Amazon S3 bucket using the following steps:

  1. Create an Amazon AWS account

    If your company has not used an Amazon AWS service, like Amazon EC2 or Amazon S3, before, you will need to create an Amazon AWS account. Please visit Amazon AWS, click the Create an AWS Account button, and follow the instructions.

    If you already have an AWS account, you can sign in directly using your account.

  2. Create Amazon S3 bucket

    Amazon S3 (Amazon Simple Storage Service) is one of the most-widely used cloud storage services in the world. It has been proven to be secure, cost-effective, and reliable. Amazon S3 stores data as objects within buckets. Each object consists of a file and attached metadata. Buckets are configurable containers for any data objects, at specific geographic regions, with controlled access and detailed access logs.

    To create your S3 bucket for G Suite backup data, please follow Amazon’s official instructions at: https://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html

    NOTE: After the bucket has been successfully created, you can change the default configuration on the “Properties” page. You may wish to enable “Server access logging” or “Default encryption”, depending on your company policies, but these options are not necessary for the operation of CubeBackup.

    It is strongly recommended that you create a separate bucket only for CubeBackup.

  3. Create an IAM account

    AWS IAM (Identity and Access Management) is a web service that helps you securely control access to AWS resources. The IAM account will be used to control access to the S3 bucket.

    Instead of defining permissions for the IAM account directly, it is more convenient to create a group with predefined policies and then assign the IAM user to that group.

    Here are a few brief instructions for creating an IAM for CubeBackup:

    1. Open the IAM console at https://console.aws.amazon.com/iam/
    2. In the navigation pane, choose “Users” and then choose Add user.
    3. Enter a name for the new user, e.g., CubeBackupS3
    4. Check the Programmatic access option and leave the AWS Management Console access unchecked.
    5. Click Next: Permissions
    6. On the “Set permissions” page, click Create group
    7. On the “Create group” page, enter a group name (e.g., S3Access) and check “AmazonS3FullAccess” policy, then click Create group
    8. Back on the “Set permissions” page, make sure the newly created group is checked, then click Next:Tags
    9. Click Next: Review
    10. On the “Review” page, ensure that all information is correct, and click Create user.
    11. On the final “Add user” page, click Show in the “Secret access key” column. Leave this page open. You will need “Access key ID” and “Secret access key” values for the next step.

In step 2 of the CubeBackup wizard, you can now enter the name of your Amazon S3 bucket and copy the Access key ID and Secret access key values in the corresponding textboxes.

NOTE: For more information about creating IAM accounts, please visit: AWS IAM account Guide

Encrypt backups: If you want your backups to be stored encrypted, make sure the “Encrypt backups” option is checked.

Tips for Backup Encryption:

  1. This option cannot be changed after the initial configuration.
  2. Data transfer between the Google Cloud and your storage is always HTTPS/SSL encrypted, whether this option is selected or not.
  3. Encryption may slow down the backup process by around 10%, and cost more CPU.

When all information has been entered, click Next to continue.

2.4 Backup G Suite Data to AWS S3 compatible storage

CubeBackup supports AWS S3 compatible storage, such as Google Cloud Storage, Wasabi, etc.

Warning: Some users have reported problems with Google Cloud Storage and Wasabi. These services may not be 100% compatible with Amazon S3 storage APIs. Use at your own risk.

3. Create Google Service account

In step 3, you are required to input the G Suite domain name, the domain administrator account, and the Service account key file.

What is the Service account key? Why it is needed?
Basically, a service account is a special Google account that is used to call Google APIs, so that users don’t need to be directly involved. Refer to https://cloud.google.com/iam/docs/service-accounts for more information.

To generate the Service account key file, please follow the instructions below:

3.1 Log in to Google Cloud Console.

Google Cloud Console does not require an administrator account. A personal Google account, such as myname@mycompany.com, or myname@gmail.com is just fine.

3.2 Create a new project named “CubeBackup”.

Google Cloud Console is a place to manage applications/projects based on Google APIs or Google Cloud Services. Begin by creating a new project.

  • Go to the Projects page in the Google Cloud Console.

TIP: This page can be opened by either clicking the above link or selecting IAM & admin -> Manage resources in the main menu. The main menu slides out from the left of the screen when you click the menu icon icon in the upper left corner of the page.

  • Click CREATE PROJECT.

  • In the New Project page, enter “CubeBackup” as the project name and click CREATE.

TIP: You can leave the Location and Organisation fields unchanged. They have no effect on this project.

3.3 Enable Google APIs.

The creation of the project may take one or two minutes. After the project has been created, go to the Home dashboard by selecting Home from the main menu, click the newly created project in the project list to make it the active project in your dashboard.

Active Project

NOTE: Please make sure this project is the currently active project in your console before continuing!

Now open the API Library page by selecting APIs & services -> Library from the main menu. Select Google Drive API from the G Suite group. On the next page, click ENABLE (Any “Create Credentials” warning message can be ignored, because service account credentials will be created in the next step). Then go back to the API Library page and follow the same steps to enable Google Calendar API, Gmail API, Admin SDK, and Google People API (This API might be located in the Social Group).

To check whether all necessary APIs have been enabled, please select APIs & Services -> Dashboard, and make sure Admin SDK, Gmail API, Google Calendar API, Google Drive API and People API are listed in the API list.

3.4 Create a Service account.

  • Click IAM & Admin in the main menu.
  • Select Service accounts in the left panel.
  • Click CREATE SERVICE ACCOUNT.
  • In the Service account details step, enter a name for the service account (e.g., cubebackup) and click CREATE.
  • In the Service account permissions step, select “Project”->“Owner” as the Role, then click CONTINUE.
  • In the Grant users access to this service account step, click +CREATE KEY.
  • Select JSON as the key type, then click CREATE.
  • Save the generated JSON key file locally.
  • Click DONE.

3.5 Return to the CubeBackup setup page

After the Service account key file has been generated and downloaded to your local computer, click the Choose File button to select the generated JSON key file.

G Suite Domain

4. Authorize domain-wide access

After creating a Google service account, the created service account needs to be authorized to access your G Suite data through Google APIs.

The operations in this step must be performed by an administrator of your G Suite domain.

If you don’t see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from that list of controls. If you can’t see any controls, make sure you are signed in as an administrator for the domain.

  • Select API reference, and make sure Enable API access is checked.
  • Select Advanced settings and then click Manage API client access in the Authentication section.
  • In the Client Name field enter the service account’s Client Name (e.g., 21344333431), shown in step 4 of the setup.

This client name is actually the Unique ID of your newly created Google Service account in the previous step.

  • In the One or More API Scopes field, copy and paste this list of scopes:

    https://www.googleapis.com/auth/admin.directory.domain.readonly,
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
    https://mail.google.com/,
    https://www.googleapis.com/auth/drive,
    https://www.googleapis.com/auth/calendar,
    https://www.googleapis.com/auth/contacts, 
    https://sites.google.com/feeds/ 
    
  • Click Authorize. G Suite Domain Authorization

  • CubeBackup now has the authority to make API calls in your domain. Return to the CubeBackup setup page, and click the Next button to check if these configuration changes have been successful.

NOTE: If any error messages pop up, please wait for a few minutes and try again. In some cases, G Suite domain-wide authorization needs some time to propagate. If it still fails to pass this step, please recheck all your inputs and refer to How do you solve the authorization failed error.

5. Select users

Now you can select which G Suite users you would like to back up.

  • By default, all valid users are selected.
  • You can expand an Organization Unit by clicking the OU to see users in that OU.
  • You can even disable the backup for all users in an OU by deselecting the checkbox beside that OU.

For example, if a school wanted to backup only the data for teachers and not students, they could select the OU for teachers and leave the OU for students unchecked.

NOTE: All Team Drives are backed up by default. You can change the backup setting for Team Drives on the CubeBackup Settings page in the web console.

Select GSuite user

6. Set administrator password

In this step, you can set up the CubeBackup web console administrator account and password.

  • This account and password is only for the CubeBackup console; it has no relationship with any G Suite services.

  • The default administrator account is the G Suite administrator of your organization, but this is not required. You can make anyone the CubeBackup administrator.

  • Multiple administrator accounts are not supported by the current version of CubeBackup.

Admin password

7. More settings

After the initial configuration of CubeBackup, you can log into the CubeBackup web console and select SETTINGS on the left panel for more options. There are two tabs on this page.
The first tab affects only the selected domain; the second tab controls global system settings.

G Suite domains management

As a G Suite administrator, you may manage more than one domain. G Suite Partners/Resellers in particular are often responsible for managing many domains for their clients. CubeBackup allows you to manage multiple domains in one place.

You can select the active domain or add a new domain from the drop-down box in the top-right corner of the web console.

  • Adding a new G Suite domain

You can add a new G Suite domain to CubeBackup by clicking + add domain from the drop-down list in the top-right corner of the web console.

On the Add domain screen, enter the G Suite domain name and admin account for the domain you wish to add, then click Next.

Follow the instructions on the next screen to paste the required API scopes into the G Suite admin console. Once the API scopes have been authorized, click Next.

Now, select the users to backup for the new domain.

  • By default, all valid users are selected.
  • You can expand an Organization Unit by clicking the OU to see users in that OU.
  • You can even disable the backup for all users in an OU by deselecting the checkbox beside that OU. For example, if a school wanted to backup only the data for teachers and not students, they could select the OU for teachers and leave the OU for students unchecked.

  • Finally, click Save.

Team Drive selection

CubeBackup can also backup Team Drives, if your G Suite domain has this feature enabled. You can search and select which Team Drives to include in the backup. This is very useful for schools, for example, as the administrator may not want to backup Team Drives created by students, which could contain very large amounts of storage.

Team Drive backup settings are found at the bottom of the Settings page for the active domain. By default, all Team Drives are selected, but you can search Team Drives and individually choose which ones to include in the backup. There is an option to detect new Team Drives and automatically include them in the backup.

Team Drive

Network Throttling

Backups for an entire G Suite domain can be quite large, and the backup process can consume considerable network bandwidth. CubeBackup allows you to flexibly control network throttling by setting speed limits for work hours and non-work hours independently. Both work days and work hours can be defined to meet your company’s unique needs.

Throttling

Email reports

As an administrator, you may not want to constantly sign in to the CubeBackup web console to check the status of the backup service. CubeBackup can send you monthly, weekly, or even daily email reports of backup status, progress, space used, and much more.

For convenience, CubeBackup will send the email reports to the G Suite administrator using local@cubebackup.com by default. These reports are generated locally by your backup machine. All details and statistical data used to generate the reports remain private. However, if you wish, you can set up your own SMTP server for these reports.

SMTP

8. Additional information