šŸƒ Dan's Garden

Last Update: Tue Dec 02 2025 ā–Ŗ Created: Mon Dec 01 2025 ā–Ŗ 5 min read

My Backup Strategy

The Cloud is just someone elseā€™s computer

It is easy to think that once something is backed up to the cloud, it is safe. It is not. Not if you are a ā€œfreeā€ customer, and not even if you are a big corporate client.

That is why you should always have backups.

At the same time, local backups are not enough. Your house could burn or get flooded, your toddler might decide to play with your backup drives. And there are always other risks such as ransomware.

Understanding the 3-2-1 Backup Strategy

The Basic 3-2-1 Rule

The 3-2-1 backup strategy is straightforward: keep multiple copies of your data in different places. Hereā€™s a practical example - you back up your home computer to an external hard drive and upload a copy to cloud storage. Youā€™ve now got a 3-2-1 backup:

  • Three copies of your data: one on your computer, one on your hard drive, and one in the cloud;
  • Two different storage types: your computerā€™s internal drive and the external hard drive (plus the cloud makes three);
  • One copy off-site: the cloud copy is physically somewhere else.

Enhanced Protection: The 3-2-1-1 Approach

The 3-2-1-1 strategy adds one more layer - an air-gapped backup. This means:

  • Maintain at least three copies of your data;
  • Store data on at least two different types of storage media;
  • Keep one copy off-site;
  • Keep one copy completely offline or air-gapped (unplugged from everything, ideally in a safe).

That last bit is crucial. Ransomware can spread across networks and encrypt any backup it can reach. An unplugged drive sitting in a drawer? Completely safe from that threat.

What I do

  1. I keep all my data in network volumes on my NAS (which can only be accessed locally or via VPN). The system automatically takes and keeps a number snapshots of this data (daily, weekly, monthly, and yearly).
  2. Every couple of weeks, I plug in an external SSD into my desktop. It triggers a rsync job that copies all my media and documents into it. This is then unplugged and stored ā€œofflineā€.
  3. 3 times per week I run a backup from my NAS to Backblaze B2 using Backrest. This runs restic1 under the hood. It creates encrypted backups, with versioning. My retention policy is fairly extensive: 7 daily, 4 weekly, 6 monthly, and 10 yearly. Iā€™d rather pay a bit extra for storage2 than risking losing files I only notice are missing after months or a year.
  4. Out of some healthy paranoia, I am currently setting up a spare RaspberryPi4 with an external SSD at a relativeā€™s place, in an entirely different country, and plan to keep an extra copy of my photos there. This backup will be versioned and encrypted with Backrest. Access is via VPN.
graph TB
    NAS[**NAS**<br/>Snapshots]
    
    SSD[**External SSD**<br/>Offline / air-gapped]
    B2[**Backblaze B2**<br/>Encrypted]
    PI[**Remote Pi4**<br/>Off-site]
    
    NAS --> SSD
    NAS --> B2
    NAS --> PI

What do I actually backup?

As I said above, I use different network volumes on my NAS for different things:

  • I have one just for personal media (ie, photos and videos managed via Immich);
  • I use bind mounts in Docker for my self-hosted applications. Irsyncthese throughout the day between my server and the NAS. Some items will fail to copy when they are being used, so I have a separate script that stops all the containers, then runs arsyncto the NAS, and finally reboots the machine to apply weekly updates. Note that I am not backing up the full containers, only the data that I need to persist.
  • I also backup my Home Assistant install to the NAS and the cloud. This is actually the one that saved me before - the whole OS broke one day on my RaspberryPi 4 (probably because a USB connected disk isnā€™t ideal) and I was able to spin up a virtual machine, load up the backup and be back up and running in less than an hour!

Final Thoughts

This setup might seem excessive, but each layer addresses scenarios Iā€™ve read or heard about from others. The NAS handles accidental deletions, the offline drive protects against ransomware, the cloud backup guards against local disasters, and the remote Pi adds geographical redundancy.

You donā€™t need to copy this exactly. The 3-2-1 principle matters more than the specific tools. Start with what fits your budget and technical comfort level. An imperfect backup strategy you actually use beats a perfect one that never gets implemented.

Test your backups occasionally. Verify you can actually restore files. A backup is only as good as your ability to recover from it when things go wrong - and eventually, something will go wrong.

And if you believe there is something Iā€™m missing, please do get in touch! Iā€™m always looking to improve this set up.

Footnotes

  1. Restic does deduplication by saving only unique data chunks, or ā€œblobs,ā€ in a repository, which means that if the same data is backed up multiple times, it will only be stored once. This process helps to save storage space and improve backup efficiency. ā†©

  2. Backblaze B2 costs around 6 USD + VAT per 1Tb of storage, and they will bill you proportionally based on the actual usage. This is currently costing me less than 3 EUR per month. There are other options: Hetzner offers a 1Tb ā€œstorage boxā€ for under 4 EUR per month. ā†©

Backlinks