More configuration options of CubeBackup for Google Workspace
After the initial configuration of CubeBackup, you can log into the CubeBackup web console and select SETTINGS on the left panel for more options.
There are several tabs on this page: The <domain-name> tab affects only the selected domain; the System tab controls global system settings.
Tip: As a Google Workspace organization, or a Google Workspace reseller, you may manage more than one Google Workspace domains. CubeBackup allows you to backup multiple domains in one place.
Settings for a specific domain
By default, CubeBackup will backup all Google Workspace data in your domain, including Gmail, Google Drive, Google Calendar, Google Contacts and Google Sites. However, you can choose which Google Apps to include in your backup by simply clicking the button beside the app.
Note: Due to limitations in the Google Sites API, CubeBackup cannot backup New Google Sites - it can only backup Classic Google Sites. More information is available at https://developers.google.com/sites/.
Drive backup options
When you click Options in the Apps section, the filter settings for Google Drive & Shared Drives backup will pop up, from which you can enable/disable “Backup files shared with me” and set the file exclusion rules.
Backup files shared with me
- When this option is unchecked (recommended), shared files will only be backed up once for the owner of the file, not for every user the file has been shared with.
- When this option is enabled, any files shared among users in the domain will be duplicated and stored separately for each user. Please note that enabling this option in CubeBackup may result in a lot of duplication in the backup data.
Exclude files that match any of the following rules
Some organizations may not wish to back up large or unimportant files in Google Drive or Shared drives in order to save backup storage space.
File exclusion rules allow CubeBackup to skip over certain files in the backup set. For example, if you do not want to backup video files which are larger than 5GB, you can add a rule that says:
has suffix ".mp4", ".mkv", ".avi", ".mov", ".rm", ".rmvb" AND size > 5GB
Detailed explanation of file exclusion rules:
Exclusion rules may be created using the following keywords: has prefix, has suffix, name is, and size.
has prefix: matches the beginning characters of a filename (case insensitive)
has suffix: matches the ending characters of a filename, including, but not limited to, the file extension (case insensitive)
name is: exact match for the name of a file, including the extension (case insensitive).
size: matches file size (recognizes >, <, KB, MB, GB, TB)
“has prefix”, “has suffix”, and “name is” can support multiple values, listed separately in quotation marks. For example:
has suffix ".mp4", ".mkv"
will exclude all mp4 and mkv files.
“size” supports KB, MB, GB, TB (without quotation marks). For example:
size > 2GB
The basic file exclusion rules can be connected with “and” (or “AND”) to construct compound rules. For example:
has suffix ".iso" AND size > 2GB
will exclude files with the extension “.iso” that are also larger than 2GB
has prefix "temp","tmp" AND has suffix "20210105.doc" AND size>200MB
will exclude files that begin with “temp” or “tmp” and end with “20210105.doc” and are larger than 200MB.
Here are a few file exclusion rule samples:
has suffix ".mp4", ".mkv", ".avi", ".mov", ".rm", ".rmvb" AND size > 500MB
excludes video files larger than 500MB.
size > 1TB
excludes all files larger than 1TB.
name is "this is a rubbish file.doc"
excludes files with the exact name “this is a rubbish file.doc”.
has suffix "GMT-7)"
excludes Google Meeting recordings which do not have a file extension, but end similarly in “GMT-7)”.
These rules can be combined together to create larger filter sets. Each created rule works independently of the others (you may think of these rules as being connected by “OR”). For example, if the above rules were all included in the same filter set, they would exclude all video files larger than 500MB, as well as any file at all larger than 1TB, all files named “this is a rubbish file.doc”, and Google Meeting recordings.
Please NOTE that this setting will only affect future backups. Google Drive data that has already been backed up will not be automatically purged from the backup storage. To purge drive files from the backups based on the file exclusion rules, please run the cbackup fileExclude command.
Data retention policy
Preserve all versions: By default, CubeBackup will keep snapshots of file and folder versions using the following rules:
- One snapshot for each hour over the last 24 hours
- One snapshot for each day over the last 30 days
- One snapshot for each week over the last 2 years
- One snapshot per year after two years
Number of days for historical versions to be preserved: Here you can set the retention period for historical backups. For example, if the retention period is set to 365 days:
- Google Drive or Shared Drives snapshots older than 365 days will be removed from the backup.
- Gmail messages which were deleted more than 365 days ago will be removed from the backup.
Advanced user settings
By default, CubeBackup automatically backs up all new users, which greatly reduces the workload for Google Workspace administrators. However, some organizations require more fine-grained control. For example: a school might only want to backup data for new teachers, not for new students. CubeBackup allows you to control the backup for new users based on their Organization Units.
Click the advanced settings beside Automatically enable backups for new users, and check the corresponding OUs in the pop-up dialog.
By default, CubeBackup will try to backup your Google Workspace data once each hour. You can change the backup interval in the System settings. In most cases, there is no need to change this setting - one hour is a reasonable interval for most Google Workspace domains.
- 1 hour is the smallest interval CubeBackup will allow.
- New backups will not begin until the previous backup has finished.
- To set a specific time for the start of the next backup, you can use the included throttling tools for CubeBackup.
Backups for an entire Google Workspace domain can be quite large, and the backup process can consume considerable network bandwidth. CubeBackup allows you to flexibly control network throttling by setting speed limits for work hours and non-work hours independently. Both work days and work hours can be defined to meet your company’s unique needs.
If you’d like to schedule the backup task in CubeBackup, you can set the speed limits of work hours to 0 Mbps, and configure a specific time for the work hours. Then CubeBackup will only initiate a backup process when the work hours are finished.
For example, to create a backup task running at 5 PM every day, you will need to:
- Set the backup interval to 1 hour and click Update backup interval.
- Check the Throttling during work hours option and enter 0 Mbps as the speed limit.
- Set the Work hours to 9:00 to 17:00.
- Click the Update throttling settings button.
As an administrator, you may not want to constantly sign in to the CubeBackup web console to check the status of the backup service. CubeBackup can send you monthly, weekly, or even daily email reports of backup status, progress, space used, and much more.
For convenience, CubeBackup will send the email reports to recipients using email@example.com by default. These reports are generated locally by your backup machine. All details and statistical data used to generate the reports remain private.
Of course, if you wish, you can send the email reports using custom SMTP services, including Gmail SMTP service, your own SMTP service, or Google Workspace SMTP relay services. See How are email reports generated and sent via SMTP services for detailed instructions.
In the initial configuration, an admin account (the system administrator) was created for CubeBackup. The admin account can log into the CubeBackup web console to perform backup and restore jobs, as well as manage all settings for CubeBackup. However, in some cases, multiple administrative accounts with different roles may be needed. For example:
- An operator who can restore data for any Google Workspace user without involving the system administrator.
- If you manage multiple Google Workspace domains in CubeBackup, it may be helpful to assign each domain a separate administrator/operator.
Create a new account
You can click the Create button in the Accounts tab to add a new administrative account.
- System Admin: Full control of CubeBackup.
- Domain Admin: Administrative powers and permissions for specific domain(s).
- Domain operator: Backup & restore permissions for any Google Workspace users in specific domain(s).
For detailed information about different accounts/roles in CubeBackup, please visit Types of accounts in CubeBackup.
Enable Google OAuth login for all users
All accounts created in the “Accounts” page are administrative accounts. CubeBackup also allows each Google Workspace user to restore his/her own data in the CubeBackup console using Google OAuth login. Please refer to enable OAuth login for all Google Workspace users for detailed instructions.
Manage multiple domains
As a Google Workspace administrator, you may manage more than one domain. Google Workspace Partners/Resellers in particular are often responsible for managing many domains for their clients. CubeBackup allows you to manage multiple domains in one place.
You can select the active domain or add a new domain from the drop-down box in the top-right corner of the web console.
- Adding a new Google Workspace domain
You can add a new Google Workspace domain to CubeBackup by clicking + add domain from the drop-down list in the top-right corner of the web console.
On the Add domain screen, enter the Google Workspace domain name and admin account for the domain you wish to add, then click Next.
Follow the instructions on the next screen to paste the required Service account Client ID and OAuth Scopes into the Google Workspace admin console. Once the OAuth Scopes have been authorized, click Next.
Now, select the users to backup for the new domain.
- By default, all valid users are selected.
- You can expand an Organization Unit by clicking the OU to see users in that OU.
You can even disable the backup for all users in an OU by deselecting the checkbox beside that OU. For example, if a school wanted to backup only the data for teachers and not students, they could select the OU for teachers and leave the OU for students unchecked.
Finally, click Save.
Access the console from the Internet
If you would like to access the CubeBackup server from an office network or the Internet, please make sure to allow unrestricted access to HTTP(80) and HTTPS(443) ports on your server.
For a cloud instance,
1. Log into the AWS console and go to the detail page of the CubeBackup instance.
2. In the Security tab, click the link under Security groups -> Edit inbound rules.
3. Now you can Add rule on the left bottom. Select “HTTP” in the Type dropdown list and “Anywhere-IPv4” in the Source dropdown list.
4. Add another rule and select “Anywhere-IPv6” in the Source dropdown list.
5. Repeat steps 1-4 for “HTTPS”.
6. Click Save rules at the bottom.
On Microsoft Azure:
1. Log into the Microsoft Azure portal and go to the detail page of the virtual machine on which CubeBackup is running.
2. Open Networking in the Settings section and Add inbound port rule.
3. You can select “HTTP” in the Service dropdown list and leave all the others as default. Click Add at the bottom.
4. Repeat steps 1~3 for “HTTPS”. If necessary, you may need to use a new name for this rule.
On Google Cloud:
1. Log into the Google Cloud Platform and go to the detail page of the VM instance on which CubeBackup is running.
2. In the Firewalls section, click EDIT and check the box in front of “Allow HTTP traffic” and “Allow HTTPS traffic”.
3. Save the changes at the bottom.
For a Windows instance, you need to set up the inbound rules twice on both the cloud platform and the server. Here are the instructions:
- Log into the Windows server using RDP.
- Open Network & Internet section in the Settings.
- Then find Windows Firewall -> Advanced settings -> Inbound Rules.
- Now you can add New rule… -> select Port -> TCP -> input 80,443 in the Special local ports.
- Keep all the other options as default and Name the rule, then click Finish.
Now you will be able to access the CubeBackup console directly through the IP address from the office network or the Internet. If needed, you can also assign a domain name and enable HTTPS/TLS for the console.
Secure the encryption key file
By default, the backup data will be encrypted as long as you leave the Encrypt backups setting checked during the initial configuration. The encryption key file is generated during the configuration and is stored on your server.
On Linux, the encryption key file is stored as “/opt/cubebackup/db/keys.json” by default.
On Windows, the encryption key file is stored as “c:\Program Files\CubeBackup4\db\keys.json” by default.
The encryption key file is very important for data backup and restoration. If it is lost, all backup data will become useless. We strongly recommend that you make a copy of the key file and store it in a safe place. CubeBackup Inc. does not have access to any key files and cannot help you if the encryption key file is lost.