How is the backup encrypted? Where is the password/key file and how is it generated?

AES encryption

By default, CubeBackup will encrypt all of your Google Workspace backups using the AES algorithm as long as you leave the Encrypt backups setting checked during the initial configuration. Characterized by high speed and low RAM requirements, AES is suitable for encryption for very large data sets.

All metadata stored in the SQLite files is also encrypted using AES-256. This provides another layer of security and protection for your data: even if an intruder were to gain physical access to your backups, they would be useless without the matching AES key.

RSA Key file

A different AES key is used for each backup file. This AES key is encrypted using an RSA algorithm and stored in the header of the backup file. The RSA key file is stored at <CubeBackup installation directory>/db/keys.json.

On Windows, the default installation path of CubeBackup is "C:\Program Files\CubeBackup4\".
On Linux, the default installation path of CubeBackup is "/opt/cubebackup/".

  • The RSA key file is generated when CubeBackup is installed on your computer.
  • The key file is very important for data backup and restoration and should be kept safe and secret. We recommend that you save a copy of the locally generated encryption key in case the server disk becomes damaged.
  • On Linux, it is only accessible to the CubeBackup service.