How to enable Two-factor authentication (2FA) for the CubeBackup console login.


Enhancing the security of your online accounts is crucial. Two-factor authentication (2FA) adds an extra layer of protection to your CubeBackup account, beyond just a password.

Enable 2FA for individual admin login

CubeBackup allows admins to secure their accounts using an Authenticator app. To enable 2FA for your account:

  1. Navigate to the top right corner of the CubeBackup web console, hover over the admin name and click Settings.
  2. In the Two-factor authentication section, click the Enable two-factor authentication button and follow the prompts to set up the Authenticator for your CubeBackup account.

enable 2FA in the CubeBackup web console

Require 2FA for all admins

To mandate 2FA for all admins on a CubeBackup instance:

  1. Log (or SSH) into your backup server.
  2. Open the configuration file config.toml using a text editor.

    Note:
    Starting with version 4.7, the configuration file is located at <installation directory>/etc/config.toml for fresh installations of CubeBackup. For installations upgraded through the console, or versions prior to 4.7, the configuration file is still located at <installation directory>/bin/config.toml.
         On Windows, the installation directory is located at C:\Program Files\CubeBackup4 by default.
         On Linux, the installation directory is located at /opt/cubebackup by default.

  3. In the [Web] section, set the value of TwoFactorAuthEnabled to true. If your config.toml file doesn't contain a TwoFactorAuthEnabled line, please manually add it to the [Web] section.

    [Web]
    ...
    TwoFactorAuthEnabled = true
    ...
  4. Save your changes and refresh the CubeBackup login page to ensure the settings are applied.

  5. Admins previously configured with an Authenticator can continue to use their existing auth codes. Admins without 2FA configuration will receive an authentication code via email during the login process.

Google OAuth Login for Admins

CubeBackup also supports Google OAuth for admin logins. This method allows admins to use their Google accounts, utilizing the 2FA settings configured in Google for added security. Detailed instructions can be found here: How to enable Google OAuth login for the CubeBackup web console.

How to configure an IP whitelist to skip 2FA login for admins

CubeBackup also allows you to skip two-factor authentication (2FA) for logins from trusted IP addresses, adding simplicity for trusted environments. To set this up, please follow the instructions below:

  1. Log (or SSH) into your backup server.
  2. Open the configuration file config.toml using a text editor.

    Note:
    Starting with version 4.7, the configuration file is located at <installation directory>/etc/config.toml for fresh installations of CubeBackup. For installations upgraded through the console, or versions prior to 4.7, the configuration file is still located at <installation directory>/bin/config.toml.
         On Windows, the installation directory is located at C:\Program Files\CubeBackup4 by default.
         On Linux, the installation directory is located at /opt/cubebackup by default.

  3. Under the [Web] section, add the TwoFactorAuthIPWhitelist field and add a list of trusted IP addresses to the array.

    The TwoFactorAuthIPWhitelist field accepts values in the format of IPv4, IPv6, or IP ranges of your office network.

    The [Web] section should be formatted like the example below after modification.

    [Web]
    ...
    TwoFactorAuthIPWhitelist = ["192.168.10.1/24","2001:0db8::1428:57ab"]
    ...
  4. Save your changes and refresh the CubeBackup login page to ensure the settings are applied.