Blog"I didn't think it would happen to me." That's what everyone says after losing their data. Hard drives fail. Laptops get stolen. Ransomware encrypts everything. Houses flood. The question isn't if you'll experience data loss, but when.
I encrypt all my backups and store them in multiple locations, including different countries. Below you'll find the strategy I use myself, and which serves as a solid foundation for anyone's backups.
The 3-2-1 backup rule
The 3-2-1 rule is the foundation of any solid backup strategy:
- 3 copies of your data (the original plus two backups)
- 2 different media types (internal drive, external drive, cloud, tape, etc.)
- 1 copy offsite (physically separate location)
This protects against various failure modes. A single backup on an external drive next to your computer doesn't protect against theft, fire, or flooding. Cloud-only backups don't protect against account lockouts or service outages. The combination provides defence in depth.
Why encryption is non-negotiable
Every backup I create is encrypted before it leaves my machine. This isn't paranoia — it's basic security hygiene. Here's why:
- Physical theft: If someone steals your external drive or laptop, encrypted backups are useless to them
- Cloud storage: You're trusting a third party with your data. Encryption means they can't read it even if they wanted to
- Offsite storage: Backups at a friend's house, bank safe deposit box, or another location should be unreadable without your key
- Compliance: Many regulations require encryption of personal data at rest
Most modern backup tools support encryption natively. Enable it. Use a strong passphrase. Store the passphrase securely (a password manager works well).
My backup locations
I maintain backups in multiple locations, following the 3-2-1 rule:
Local backups
The first line of defence. Fast to create, fast to restore. I use encrypted external drives that run hourly or daily incremental backups. This catches accidental deletions and file corruption quickly.
Offsite backups (same country)
A backup at a friend's house or office protects against localised disasters — fire, flooding, burglary. I rotate encrypted drives periodically. The key is that it's physically separate from the primary location.
Offsite backups (different countries)
For the truly critical data, I maintain encrypted backups in different countries. This protects against regional disasters, legal seizure, and ensures availability even during major disruptions. Cloud storage with servers in multiple regions works well for this.
Backup tools by platform
macOS: Time Machine
Time Machine is excellent for local backups. It's built into macOS, runs automatically, and supports encryption. Connect an external drive, enable Time Machine, tick the encryption checkbox, and you're done.
For offsite/cloud backups, combine Time Machine with a tool like Arq, Duplicati, or restic to push encrypted backups to cloud storage.
Windows: File History
File History provides versioned backups of your files to an external drive or network location. It's simpler than full system imaging but covers the most important data — your documents, photos, and work files.
For more comprehensive backups, consider Windows Backup (built-in) or third-party tools like Veeam Agent (free), Duplicati, or Backblaze.
Linux: multiple excellent options
Linux users have several excellent backup tools:
- Borg Backup: Deduplicating, encrypted, efficient. My personal choice for servers. Works over SSH, supports compression, and handles large datasets well
- Kopia: Modern alternative to Borg with a nice GUI. Supports multiple backends including S3, Azure, Google Cloud, and local storage
- Deja Dup: User-friendly GUI for GNOME desktops. Uses duplicity under the hood. Great for desktop users who want something simple
- restic: Fast, secure, supports many backends. Good documentation and active development
- rsync + scripts: Not a backup tool per se, but combined with snapshots and rotation, it works well for simple needs
What to back up
Not everything needs the same backup treatment:
Critical (3-2-1 with offsite)
- Documents, photos, videos — irreplaceable personal files
- Code repositories (though these should also be on GitHub/GitLab)
- Password manager databases
- Encryption keys and certificates
- Financial records
- Configuration files and dotfiles
Important (local + one offsite copy)
- Application settings and preferences
- Email archives
- Downloaded software installers
- Virtual machines
Replaceable (local backup only, or none)
- Operating system files (can be reinstalled)
- Applications (can be re-downloaded)
- Cache and temporary files
The forgotten step: test your restores
A backup you haven't tested is a backup you can't trust. I regularly verify my backups by:
- Restoring random files: Pick a few files each month and restore them. Do they open correctly?
- Full restore drills: Annually, I restore a complete backup to a spare drive or VM. This catches issues before they matter
- Verifying checksums: Most backup tools can verify backup integrity without doing a full restore
- Checking encryption: Verify you can actually decrypt your backups with the stored passphrase
I've seen too many cases where someone diligently ran backups for years, only to discover during a crisis that the backups were corrupted, incomplete, or impossible to restore.
Additional considerations
Versioning
Keep multiple versions of your backups. If ransomware encrypts your files and you only have one backup copy that syncs immediately, your backup gets encrypted too. Point-in-time recovery lets you go back to before the problem started.
Retention policies
Don't keep everything forever (unless you need to for compliance). A common scheme: hourly backups for 24 hours, daily for 30 days, weekly for 12 weeks, monthly for 12 months. This balances recoverability with storage costs.
Automation
Manual backups don't happen. Automate everything. The best backup is the one that runs without you thinking about it.
Documentation
Document your backup strategy. Where are the backups? What's the encryption passphrase? How do you restore? Store this documentation separately from the backups themselves. A family member or colleague should be able to recover your data if you're unavailable.
Getting started
If you don't have a backup strategy yet, start simple:
- Today: Buy an external drive, set up Time Machine/File History/Deja Dup with encryption
- This week: Sign up for a cloud backup service or set up rsync/restic to cloud storage
- This month: Arrange offsite storage — a friend's house, a bank box, or a second cloud provider
- Quarterly: Test your restores
The best time to set up backups was before you needed them. The second best time is now.
