Initial Configuration on Windows


This article will guide you through the initial configuration of CubeBackup on Windows. If you are using CubeBackup on Linux or in a Docker container, please refer to Initial Configuration on Linux or Initial Configuration using Docker.

Step 1. Open the CubeBackup web console

After CubeBackup has been installed, its web console will automatically pop up in your default web browser. You can also open the web console by either clicking the CubeBackup icon on the desktop, or by visiting http://<server-ip>:<port> on any web browser in your network.

If permitted by your company’s firewall policy, it can also be accessed from outside your network at http://<server_external_ip>:<port>.

The default web console address is http://<server_ip>, assuming no other web services are running before CubeBackup. If port 80 is already in use, the installation wizard will ask you for a different port.

Step 2. Set backup location

CubeBackup allows you to backup Google Workspace data to either on-premises storage or your private cloud storage. Currently, CubeBackup supports backing up to a local disk, NAS/SAN, Amazon S3 storage, Google Cloud storage, Microsoft Azure Blob storage, and Amazon S3-compatible storage, please click the corresponding tab for detailed instructions.

Backup to a local disk

Backup GSuite locally

Storage type: Select “Local disk” from the dropdown list.

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a local disk when backing up Google Workspace data.

Note: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. We strongly recommend that you store the data index on a local SSD. See What is the data index for more information.

Backup path: Select a local directory for the Google Workspace backup data.

Note: Please ensure the backup location has enough available space to store all employee data in your Google Workspace domain, including any future backups. Because Google does not always report the size of all files stored and does not even count some files when totaling storage, and since CubeBackup itself keeps a revision history of files, a good rule of thumb is reserve 2x the estimated data size for your domain. For example, if there are 100 users in your Google Workspace domain and each user has 10GB of data on average, there should be at least 100 * 10GB * 2 = 2TB of space available for the backup.

Encrypt backups: If you want your backups to be stored encrypted, make sure the “Encrypt backups” option is checked.

Tips:
1. This option cannot be changed after the initial configuration.
2. Data transfer between the Google Cloud and your storage is always HTTPS/SSL encrypted, whether this option is selected or not.
3. Encryption may slow down the backup process by around 10%, and cost more CPU cycles.

When all information has been entered, click the Next button.

After clicking the Next button, we strongly recommend that you make a copy of the key file <installation directory>/db/keys.json and store it in a separate safe location. If the key file is lost, your encrypted backup data will be completely unrecoverable. CubeBackup Inc. does not have access to any key files and will be unable to help you!

Backup to NAS or SAN

Backup GSuite to Nas

Storage type: Select “Windows network location” from the dropdown list.

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a local disk when backing up Google Workspace data.

Note: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. We strongly recommend that you store the data index on a local SSD. See What is the data index for more information.

Network storage path: If CubeBackup is installed on a Windows operating system using network storage, the network storage path and access credentials are required in this step.

Manually enter the UNC path for the remote storage, e.g., \\NAS-HOSTNAME\gsuite_backup, or \\192.168.1.123\gsuite_backup. Generally, the hostname is preferred over IP addresses, especially in an Active Directory domain environment.

Notes:

  1. Network resource drive letter mapping is not currently supported. Please use UNC paths (\\NAS-HOSTNAME\backup\gsuite) instead of mapped paths (Z:\gsuite).
  2. Please ensure the backup location has enough available space to store all employee data in your Google Workspace domain, including any future backups. Because Google does not always report the size of all files stored and does not even count some files when totaling storage, and since CubeBackup itself keeps a revision history of files, a good rule of thumb is reserve 2x the estimated data size for your domain. For example, if there are 100 users in your Google Workspace domain and each user has 10GB of data on average, there should be at least 100 * 10GB * 2 = 2TB of space available for the backup.

User and password: The username and password to access the network storage are required.

  • For Windows networks using Active Directory, the preferred user name format is <DomainName>\<UserName>. For example: cubebackup\smith ( smith@cubebackup.com is not supported).
  • For Windows networks organized by workgroup, or if the network storage is located outside of your active directory, the format should be <NASHostName>\<UserName>. For example: backup_nas\smith.

Why are a username and password required?
CubeBackup runs as a service using the system default local service account, which does not have rights to access network resources. This is by design in Windows. In order for CubeBackup to access network storage, a username and password must be supplied.

Encrypt backups: If you want your backups to be stored encrypted, make sure the “Encrypt backups” option is checked.

Tips:
1. This option cannot be changed after the initial configuration.
2. Data transfer between the Google Cloud and your storage is always HTTPS/SSL encrypted, whether this option is selected or not.
3. Encryption may slow down the backup process by around 10%, and cost more CPU.

When all information has been entered, click the Next button.

After clicking the Next button, we strongly recommend that you make a copy of the key file <installation directory>/db/keys.json and store it in a separate safe location. If the key file is lost, your encrypted backup data will be completely unrecoverable. CubeBackup Inc. does not have access to any key files and will be unable to help you!

Backup to AWS S3 storage


Note: If you plan to back up your Google Workspace data to Amazon AWS S3 storage, we strongly recommend running CubeBackup on an AWS EC2 instance (e.g. t3.large instance) instead of a local server. Hosting both the backup server and storage on AWS will avoid the bottleneck of all data moving through your local server and greatly improve backup speeds.

Backup to Amazon S3

Storage type: Select “Amazon S3” from the dropdown list.

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a local disk when backing up Google Workspace data.

Note: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. We strongly recommend that you store the data index on a local SSD. See What is the data index for more information.

S3 Bucket: Before you can backup Google Drive, Shared drives, Contacts, Calendar and Sites data to Amazon S3, you will first need to create and configure an private Amazon S3 bucket using the following steps:

  1. Create an Amazon AWS account

    If your company has never used an Amazon AWS service, like Amazon EC2 or Amazon S3, you will need to create an Amazon AWS account. Please visit Amazon AWS, click the Create an AWS Account button, and follow the instructions.

    If you already have an AWS account, you can sign in directly using your account.

  2. Create Amazon S3 bucket

    Amazon S3 (Amazon Simple Storage Service) is one of the most-widely used cloud storage services in the world. It has been proven to be secure, cost-effective, and reliable. Amazon S3 stores data as objects within buckets. Each object consists of a file and attached metadata. Buckets are configurable containers for any data objects, at specific geographic regions, with controlled access and detailed access logs.

    To create your S3 bucket for Google Workspace backup data, please follow Amazon’s official instructions at https://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html

    After the bucket has been successfully created, you can change the default configuration on the “Properties” page. You may wish to enable “Server access logging” or “Default encryption”, depending on your company policies, but these options are not necessary for the operation of CubeBackup.

    It is strongly recommended that you create a separate bucket only for CubeBackup.

  3. Create an IAM account

    AWS IAM (Identity and Access Management) is a web service that helps you securely control access to AWS resources. The IAM account will be used to control access to the S3 bucket.

    Instead of defining permissions for the IAM account directly, it is more convenient to create a group with predefined policies and then assign the IAM user to that group.

    Here are a few brief instructions for creating an IAM for CubeBackup:

    1. Open the IAM console.
    2. In the navigation pane, choose “Users” and then choose Add user.
    3. Enter a name for the new user, e.g., CubeBackupS3.
    4. Check the Programmatic access option and leave the AWS Management Console access unchecked.
    5. Click Next: Permissions.
    6. On the “Set permissions” page, click Create group.
    7. On the “Create group” page, enter a group name (e.g., S3Access) and check “AmazonS3FullAccess” policy, then click Create group.

      Tip: If you want to create an IAM account which only has permissions on the newly created S3 bucket (not the “AmazonS3FullAccess” policy), please refer to this doc.

    8. Back on the “Set permissions” page, make sure the newly created group is checked, then click Next:Tags.

    9. Click Next: Review.

    10. On the “Review” page, ensure that all information is correct, and click Create user.

    11. On the final “Add user” page, click Show in the “Secret access key” column. Leave this page open. You will need “Access key ID” and “Secret access key” values for the next step.

In step 2 of the CubeBackup wizard, you can now enter the name of your Amazon S3 bucket and copy the Access key ID and Secret access key values into the corresponding textboxes.

For detailed information about creating IAM accounts, please visit: AWS IAM account Guide

Storage class: Select an Amazon S3 storage class for the backup data. Standard-IA or One Zone-IA is recommended.

For more information about Amazon S3 storage classes, please visit AWS Storage classes. You can find the pricing details for the different S3 storage classes at S3 pricing.

Encrypt backups: If you want your backups to be stored encrypted, make sure the “Encrypt backups” option is checked.

Tips:
1. This option cannot be changed after the initial configuration.
2. Data transfer between the Google Cloud and your storage is always HTTPS/SSL encrypted, whether this option is selected or not.
3. Encryption may slow down the backup process by around 10%, and cost more CPU.

When all information has been entered, click the Next button.

After clicking the Next button, we strongly recommend that you make a copy of the key file <installation directory>/db/keys.json and store it in a separate safe location. If the key file is lost, your encrypted backup data will be completely unrecoverable. CubeBackup Inc. does not have access to any key files and will be unable to help you!

Backup to Google Cloud storage


Note: If you plan to back up your Google Workspace data to Google Cloud storage, we strongly recommend running CubeBackup on a Google Compute Engine VM (e.g. e2-standard-2 VM) instead of a local server. Hosting both the backup server and storage on Google Cloud will avoid the bottleneck of all data moving through your local server and greatly improve backup speeds.

Backup Google Workspace to Google Cloud Storage

Storage type: Select “Google Cloud storage” from the dropdown list.

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a local disk when backing up Google Workspace data.

Note: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. We strongly recommend that you store the data index on a local SSD. See What is the data index for more information.

Bucket: Before you can backup data to Google Cloud storage, you will first need to create and configure a private Google Cloud Storage bucket using the following steps:

  1. Log in to Google Cloud Console.
    Google Cloud Console does not require an administrator account. A personal Google account, such as myname@mycompany.com, or myname@gmail.com is just fine.

  2. Create a new project.
    Google Cloud Console is a place to manage applications/projects based on Google APIs or Google Cloud Services. Begin by creating a new project:

    • Go to the Projects page in the Google Cloud Console.

    Tip: This page can be opened by either clicking the above link or selecting IAM & admin > Manage resources in the navigation menu.

    • Click CREATE PROJECT.
    • In the New Project page, enter a project name, e.g.“CubeBackup”, and click CREATE.

    You can leave the Location and Organisation fields unchanged. They have no effect on this project.

  3. Create a Google Cloud Storage bucket.

    • Select STORAGE > Cloud Storage > Browser from the navigation menu.
    • In the Cloud Storage Browser page, click CREATE BUCKET.
    • In the Create a bucket page, input a name for the bucket, and click CONTINUE.
    • Choose a location type for the bucket (Region or Dual-region is recommended), then select a location for the bucket, and then click CONTINUE.

    Tips:
    1. Please select the location based on the security & privacy policy of your organizations. For example, for EU organizations, you may need to select Europe to be in accordance with GDPR.
    2. Select a location the same as or near to the location of your Google Compute Engine VM.

    • Choose a default storage class for the backup data, Coldline is recommended, then click CONTINUE.
    • Select Uniform as the Access control type, then click CONTINUE.
    • Keep the Advanced setting as default, and click CREATE.

Storage class: The storage class for the backup data. Coldline is recommended. For more information about Google Cloud storage classes, please visit Storage classes. You can find the pricing details for the different Google Cloud storage classes at Cloud Storage Pricing.

Encrypt backups: If you want your backups to be stored encrypted, make sure the “Encrypt backups” option is checked.

Tips:
1. This option cannot be changed after the initial configuration.
2. Data transfer between the Google Cloud and your storage is always HTTPS/SSL encrypted, whether this option is selected or not.
3. Encryption may slow down the backup process by around 10%, and cost more CPU.

When all information has been entered, click the Next button.

After clicking the Next button, we strongly recommend that you make a copy of the key file <installation directory>/db/keys.json and store it in a separate safe location. If the key file is lost, your encrypted backup data will be completely unrecoverable. CubeBackup Inc. does not have access to any key files and will be unable to help you!

Backup to Azure Blob storage


Note: If you plan to back up Google Workspace data to Microsoft Azure Blob storage, we strongly recommend running CubeBackup on a Microsoft Azure Virtual Machine instead of a local server. Hosting both the backup server and storage on Azure Cloud will avoid the bottleneck of all data moving through your local server and greatly improve backup speeds.

Backup Google Workspace to Azure Blob storage

Storage type: Select “Azure Blob storage” from the dropdown list.

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a local disk when backing up Google Workspace data.

Note: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. We strongly recommend that you store the data index on a local SSD. See What is the data index for more information.

Storage account: Your Azure Storage Account.

Access key: The Access Key to your Storage Account.

Container: The container created in your Azure Storage Account.

For more information about the Azure Blob storage, the storage account, and the container, please visit Introduction to Azure Blob storage.

Access tier: The Access Tier for Azure Blob Storage. Cool is recommended.

For more information about Azure Blob Storage Access tiers, see this. You can find the pricing details for the different Azure Storage Cloud access tiers classes from here.

If you are an experienced Azure user, you may skip the instructions below. If you are new to Azure storage, please follow the instructions below to create a Storage account and a Container for Azure Blob Storage.

  • Create a storage account

    1. Log into the Microsoft Azure Portal using an Azure account. If you do not have an Azure account, sign up to get a new account.
    2. On the Azure portal menu, select Home, then select Storage Accounts from the Home page.
    3. On the Storage accounts page, choose +Create.
    4. On the Basics tab, select the subscription in which to create the storage account. Then, under the Resource group field, select your desired resource group, or create a new resource group.
    5. Next, enter a name for your storage account. The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters.
    6. Select a location for your storage account, or use the default location.
    7. Select “Standard” as the Performance tier.
    8. Specify how the storage account will be replicated. “Zone-redundant storage (ZRS)” is recommended. For more information about available replication options, see Azure Storage redundancy.
    9. Additional options are available on the Networking, Data protection, Advanced, and Tags tabs. You can leave all additional options as default.
    10. Click Review + create to review your storage account settings, then click Create to create the account.
  • Get Access key
    After creation of the storage account, you will need its Access key.

    1. In the newly created Storage account page, select Security+networking > Access keys from the left panel.
    2. In the Access keys page, click Show keys.
    3. Copy the access key from the key text box of either key1 or key2 and paste it into the Access key textbox on the CubeBackup setup wizard.
  • Create a new container

    1. In the newly created Storage account page, click Containers.
    2. In the containers page, click + Container.
    3. Enter the name for the container, e.g. “cubecontainer”, leave the Public access level as “Private (no anonymous access)”
    4. Click Create.

Encrypt backups: If you want your backups to be stored encrypted, make sure the “Encrypt backups” option is checked.

Tips:
1. This option cannot be changed after the initial configuration.
2. Data transfer between the Google Cloud and your storage is always HTTPS/SSL encrypted, whether this option is selected or not.
3. Encryption may slow down the backup process by around 10%, and cost more CPU.

When all information has been entered in the configuration wizard, click the Next button.

After clicking the Next button, we strongly recommend that you make a copy of the key file <installation directory>/db/keys.json and store it in a separate safe location. If the key file is lost, your encrypted backup data will be completely unrecoverable. CubeBackup Inc. does not have access to any key files and will be unable to help you!

Backup to S3 compatible storage


CubeBackup supports AWS S3 compatible storage, such as Wasabi and Backblaze B2.

Note: Usually, S3 compatilbe cloud storage is not as stable as AWS S3. Use at your own risk.

Step 3. Create Google Service account

In step 3, you are required to input the Google Workspace domain name, the domain administrator account, and the Service account key file.

What is the Service account key? Why is it needed?
Basically, a service account is a special Google account that is used to call Google APIs, so that users don’t need to be directly involved. Refer to this doc for more information.

To generate the Service account key file, please follow the instructions below:

a. Log in to Google Cloud Console.

Google Cloud Console does not require an administrator account. A personal Google account, such as myname@mycompany.com, or myname@gmail.com is just fine.

b. Create a new project.

Google Cloud Console is a place to manage applications/projects based on Google APIs or Google Cloud Services. Begin by creating a new project.

Tip: If you have chosen to use “Google Cloud storage” to store the backup data, you may have already created the GCP project for CubeBackup in the previous step. If this is the case, please skip to c. Enable Google APIs.

  • Go to the Projects page in the Google Cloud Console.

Tip: This page can be opened by either clicking the above link or selecting IAM & admin > Manage resources in the navigation menu. The navigation menu slides out from the left of the screen when you click the main menu icon in the upper left corner of the page.

  • Click CREATE PROJECT.

  • In the New Project page, enter “CubeBackup” as the project name and click CREATE.

You can leave the Location and Organisation fields unchanged. They have no effect on this project.

c. Enable Google APIs.

The creation of the project may take one or two minutes. After the project has been created, click the newly created project in the Notifications dialog to make it the active project in your dashboard (you can also select your newly created project in the project drop-down list at the top of the page to make it the active project).

Active Project

Note: Please make sure this project is the currently active project in your console before continuing!

Now open the API Library page by selecting APIs & services > Library from the navigation menu. Search for Google Drive API, then on the Google Drive API page, click ENABLE (Any “Create Credentials” warning message can be ignored, because service account credentials will be created in the next step). Next, go back to the API Library page and follow the same steps to enable Google Calendar API, Gmail API, Admin SDK API, and Google People API.

To check whether all necessary APIs have been enabled, please select APIs & Services > Dashboard from the navigation menu, and make sure Admin SDK API, Gmail API, Google Calendar API, Google Drive API and People API are all included in the API list.

d. Create a Service account.

  • Select IAM & Admin > Service Accounts in the navigation menu.
  • Click +CREATE SERVICE ACCOUNT.
  • In the Service account details step, enter a name for the service account (e.g., cubebackup) and click CREATE AND CONTINUE.
  • In the second step, select “Basic” > “Owner” (or “Project” > “Owner”) as the Role, then click CONTINUE.
  • Click DONE directly in the Grant users access to this service account step.
  • On the Service accounts page, click directly on the service account you just created (Don’t just check the box, click the email link). This should take you to the Service account details page.
  • Select the KEYS tab of the service account.
  • Click ADD KEY > Create new key.
  • Select JSON as the key type, then click CREATE.
  • Close the dialog that pops up and save the generated JSON key file locally (This file will be used as the service account key in CubeBackup’s configuration wizard).

e. Return to the CubeBackup setup page.

After the Service account key file has been generated and downloaded to your local computer, click the Choose File button to select the JSON key file generated in the last step. After the domain name, the Google Workspace administrator account, and the service account key file are all set, click Next.

GSuite domain

Step 4. Authorize domain-wide access

After creating a Google service account, the created service account needs to be authorized to access your Google Workspace data through Google APIs.

All operations in this step must be performed by an administrator of your Google Workspace domain.

  • Sign in to the Google Admin console using an administrator account in your domain.
  • From the main menu in the top-left corner, select Security > API controls.
  • Click MANAGE DOMAIN WIDE DELEGATION in the “Domain wide delegation” section.
  • In the Domain-wide Delegation page, click Add new.
  • In the Client ID field, enter the service account’s Client ID shown in step 4 of the setup wizard.

service account

  • In the OAuth Scopes field, copy and paste this list of scopes:

    https://www.googleapis.com/auth/admin.directory.domain.readonly,
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
    https://mail.google.com/,
    https://www.googleapis.com/auth/drive,
    https://www.googleapis.com/auth/calendar,
    https://www.googleapis.com/auth/contacts, 
    https://sites.google.com/feeds/ 
  • Click AUTHORIZE. Google Workspace Domain Authorization

  • CubeBackup now has the authority to make API calls in your domain. Return to the CubeBackup setup page, and click the Next button to check if these configuration changes have been successful.

Note: If any error messages pop up, please wait a few minutes and try again. In some cases, Google Workspace domain-wide authorization needs some time to propagate. If it continues to fail, please recheck all your inputs and refer to How do you solve the authorization failed error.

Step 5. Select users

Now you can select which Google Workspace users you would like to back up.

  • By default, all valid users are selected.
  • You can expand an Organization Unit by clicking the OU to see users in that OU.
  • You can even disable the backup for all users in an OU by deselecting the checkbox beside that OU.

    For example, if a school wanted to backup only the data for teachers and not students, they could select the OU for teachers and leave the OU for students unchecked.

select GSuite user

Step 6. Select Shared drives

This step only applies to Google Workspace Business/Enterprise/Education/Nonprofit organizations who have the Shared drives feature enabled. For Google Workspace Legacy or Google Workspace Basic organizations, this step will be skipped.

You can select which Shared drives you would like to back up.

shared drives selection

Step 7. Set administrator password

In this step, you can set up the CubeBackup web console administrator account and password.

  • This account and password is only for the CubeBackup console; it has no relationship with any Google Workspace services.

  • The administrator account does not need to be the Google Workspace administrator of your organization. You can make anyone the CubeBackup administrator.

admin password

After the initial configuration of CubeBackup, you can log into the web console to start the backup or configure CubeBackup with more options.

Additional information