Initial Configuration of CubeBackup for Google Workspace on NAS


This article will guide you through the initial configuration of CubeBackup on a TerraMaster NAS. For Synology NAS users, please refer to How to run CubeBackup on a Synology NAS. If you are using a NAS from other vendors, you can use this article as a reference.

Note:
CubeBackup is an x86 application and can only run directly on an x86-based NAS. If your NAS is using an ARM CPU, please consider running CubeBackup on a Windows or Linux computer using your NAS as the storage device.

Step 1. Start the CubeBackup configuration wizard

After CubeBackup has been successfully installed, it will appear on the desktop of TOS. You can start to configure CubeBackup by clicking the CubeBackup icon on the desktop.

TIPS:

  • CubeBackup starts a web service on port 8762 on the NAS, so you can also access or configure CubeBackup by visiting http://<nas-ip>:8762 on any web browser within your network.
  • A NAS with at least 2GB memory is recommended to run CubeBackup. CubeBackup may run into an "Out of memory" issue if the NAS has less than 2GB RAM.
  • By default, CubeBackup is installed in the "/usr/local/cubebackupgsuite" directory on TerraMaster NAS.

Step 2. Set backup location

First, you need to set the backup directories for Google Workspace data.

NOTE: Please ensure your NAS has enough available space to store all employee data in your Google Workspace domain, including any future backups. Because Google does not always report the size of all files stored and does not even count some files when totaling storage, and since CubeBackup itself keeps a revision history of files, a good rule of thumb is reserve 2x the estimated data size for your domain. For example, if there are 100 users in your Google Workspace domain and each user has 10GB of data on average, there should be at least 100 * 10GB * 2 = 2TB of space available on your NAS.

Backup GSuite locally

Data index path: For performance reasons, CubeBackup needs to keep some metadata on a separate directory when backing up Google Workspace data.

TIP: Data index is the metadata for the backups, and its accessing speed is crucially important for the performance of the backups. If there is an SSD installed on your NAS, you should place the data index data on the SSD . More information can be found at What is the data index .

Backup path: Select a directory on NAS for the Google Workspace backup data.

TIP: The "/mnt" directory is the mount point for hard drives, so in most cases, you should store backups in a subdirectory under "/mnt".

Encrypt backups: If you want your backups to be stored encrypted, make sure the "Encrypt backups" option is checked.

Tips:
1. Before clicking Next in the CubeBackup setup wizard, we recommend that you download a copy of the encryption key file using the link provided and store it in a separate, safe location. The key is generated locally and is not stored anywhere except on your servers, which means that we at CubeBackup cannot help you if your key file is lost or damaged through server corruption or natural disaster. For more information about rebuilding your CubeBackup instance in the event of a disaster, see: Disaster recovery of a CubeBackup instance .
2. This option cannot be changed after the initial configuration.
3. Data transfer between Google Cloud and your storage is always HTTPS/SSL encrypted, whether or not this option is selected.
4. Encryption may slow down the backup process by around 10%, and cost more CPU cycles.

When all information has been entered, click the Next button.

Step 3. Create Google Service account

In step 3, you are required to input the Google Workspace domain name, the domain administrator account, and the Service account key file.

What is the Service account key? Why is it needed?
Basically, a service account is a special Google account that is used to call Google APIs, so that users don't need to be directly involved. Refer to this doc for more information.

To generate the service account key file, you can use the automatic CubeBackup Service Account Generator or create one manually in Google Cloud Platform (GCP) .

The CubeBackup Service Account Generator is a script developed by the CubeBackup team utilizing Google APIs. It can help you create a new project and an associated service account in just one click.

Tips:

  1. The CubeBackup Service Account Generator performs all API requests directly in your browser, and all data transfers are strictly between your browser and Google's servers.

  2. The CubeBackup Service Account Generator is subject to the Privacy policy and Terms of services . If you have any questions, feel free to reach out to us at [email protected].

Initializing ...

Please follow the instructions below:

  1. Click the button above.
  2. In the pop-up dialog, sign in using a Google account.

    Tip: We recommend using a Google Workspace admin account so that you can take steps to protect this project from accidental changes that could disrupt future backups.

  3. Check the Select all box to grant all necessary permissions for the CubeBackup Service Account Generator.

  4. The service account key file will be automatically downloaded to your local storage. If the download does not start properly, please click the link ' cubebackup_service-account-key.json' to manually download it.

  5. After downloading the service account key file, please return to the CubeBackup setup page, and click the Choose File button to select this JSON key file.

    Note: If you run into any errors while using this script, please try to "Manually create a service account" or contact us at [email protected].

You can also manually create a service account in Google Cloud Platform and use it in the setup wizard. Please follow the instructions below or watch the demo:


  1. Log in to Google Cloud Platform (GCP) .

    Tip: We recommend using a Google Workspace admin account so that you can take steps to protect this project from accidental changes that could disrupt future backups.

  2. Create a new project. Google Cloud Console is a place to manage applications/projects based on Google APIs or Google Cloud Services. Begin by creating a new project.

    • Go to the Projects page in the Google Cloud Console.

      Tip: This page can be opened by either clicking the above link or selecting IAM & admin > Manage resources in the navigation menu. The navigation menu slides out from the left of the screen when you click the main menu icon in the upper left corner of the page.

    • Click CREATE PROJECT.

    • In the New Project page, enter "CubeBackup" as the project name and click CREATE.

      You can leave the Location and Organisation fields unchanged. They have no effect on this project.

    • The creation of the project may take one or two minutes. After the project has been created, click the newly created project in the Notifications dialog to make it the active project in your dashboard (you can also select your newly created project in the project drop-down list at the top of the page to make it the active project).

      Active Project

      Note: Please make sure this project is the currently active project in your console before continuing!

  3. Enable Google APIs.

    • Now open the API Library page by selecting APIs & services > Library from the navigation menu.
    • Search for Google Drive API, then on the Google Drive API page, click ENABLE (Any "Create Credentials" warning message can be ignored, because service account credentials will be created in the next step).
    • Next, go back to the API Library page and follow the same steps to enable Google Calendar API, Gmail API, Admin SDK API, and Google People API.
      > To check whether all necessary APIs have been enabled, please select APIs & Services > Dashboard from the navigation menu, and make sure Admin SDK API, Gmail API, Google Calendar API, Google Drive API and People API are all included in the API list.

  4. Create a Service account.

    • Select IAM & Admin > Service Accounts in the navigation menu.
    • Click +CREATE SERVICE ACCOUNT.
    • In the Service account details step, enter a name for the service account (e.g., cubebackup) and click CREATE AND CONTINUE.
    • In the second step, select "Basic" > "Owner" (or "Project" > "Owner") as the Role, then click CONTINUE.
    • Click DONE directly in the Grant users access to this service account step.
    • On the Service accounts page, click directly on the service account you just created (Don't just check the box, click the email link). This should take you to the Service account details page.
    • Select the KEYS tab of the service account.
    • Click ADD KEY > Create new key.
    • Select JSON as the key type, then click CREATE.
    • Close the dialog that pops up and save the generated JSON key file locally (This file will be used as the service account key in CubeBackup's configuration wizard).

  5. Return to the CubeBackup setup page. After the Service account key file has been generated and downloaded to your local computer, click the Choose File button to select the JSON key file generated in the last step.

Check if the domain name, the Google Workspace administrator account, and the service account key file are all set, and then click Next. GSuite domain

Step 4. Authorize domain-wide access

After creating a Google service account, the created service account needs to be authorized to access your Google Workspace data through Google APIs. Please follow the instructions below or watch the demo.

All operations in this step must be performed by an administrator of your Google Workspace domain.

  • Sign in to the Google Admin console using an administrator account in your domain.
  • From the main menu in the top-left corner, select Security > Access and data control > API controls.
  • Click MANAGE DOMAIN WIDE DELEGATION in the "Domain wide delegation" section.
  • In the Domain-wide Delegation page, click Add new.
  • In the Client ID field, enter the service account's Client ID shown in step 4 of the setup wizard.

service account

  • In the OAuth Scopes field, copy and paste this list of scopes:

    https://www.googleapis.com/auth/admin.directory.domain.readonly,
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
    https://www.googleapis.com/auth/admin.directory.group.readonly,
    https://mail.google.com/,
    https://www.googleapis.com/auth/drive,
    https://www.googleapis.com/auth/calendar,
    https://www.googleapis.com/auth/contacts
  • Click AUTHORIZE. Google Workspace Domain Authorization

  • CubeBackup now has the authority to make API calls in your domain. Return to the CubeBackup setup page, and click the Next button to check if these configuration changes have been successful.

Note: If any error messages pop up, please wait a few minutes and try again. In some cases, Google Workspace domain-wide authorization needs some time to propagate. If it continues to fail, please recheck all your inputs and refer to How do you solve the authorization failed error .

Step 5. Select users

Now you can select which Google Workspace users you would like to back up.

  • By default, all valid users are selected.
  • You can expand an Organization Unit by clicking the OU to see users in that OU.
  • You can even disable the backup for all users in an OU by deselecting the checkbox beside that OU.

    For example, if a school wanted to backup only the data for teachers and not students, they could select the OU for teachers and leave the OU for students unchecked.

select GSuite user

Step 6. Select Shared drives

This step only applies to Google Workspace Business/Enterprise/Education/Nonprofit organizations who have the Shared drives feature enabled. For Google Workspace Legacy or Google Workspace Basic organizations, this step will be skipped.

You can select which Shared drives you would like to back up.

shared drives selection

Step 7. Set administrator password

In this step, you can set up the CubeBackup web console administrator account and password.

  • This account and password is only for the CubeBackup console; it has no relationship with any Google Workspace services.

  • The administrator account does not need to be the Google Workspace administrator of your organization. You can make anyone the CubeBackup administrator.

admin password

After the initial configuration of CubeBackup, you can log into the web console to start the backup or configure CubeBackup with more options.

Purchase a license

CubeBackup is free for trial for 14 days. After the trial period, you must purchase a license to keep using CubeBackup to secure your Google Workspace data.

On the OVERVIEW page in CubeBackup web console, click the Purchase license link in the license information section to be directed to the subscription page, where you can purchase a license for CubeBackup.

  • For Google Workspace Basic/Business/Enterprise organizations, the price is $5 USD/user/year.
  • For Google Workspace Education/Nonprofit organizations, the price is $2 USD/user/year.