A photographer friend lost 15 years of work — 400,000 RAW files — when a ransomware attack encrypted his NAS and the USB drive plugged into it. He had two copies of everything, both in the same room, both accessible from the same network. He had backups. He just didn’t have the right backups.
The 3-2-1 rule exists because people learn this lesson the hard way, and it doesn’t need to be that way. The strategy is old (coined by photographer Peter Krogh around 2005), but it remains the gold standard because it’s simple, resilient, and addresses the actual ways people lose data.
Key Takeaways
- 3-2-1 means: 3 copies of your data, on 2 different types of media, with 1 copy off-site — this survives hardware failure, theft, fire, flood, and ransomware
- The most common backup failure is never testing restores — a backup you haven’t verified is a hope, not a backup
- Automated backups are the only backups that actually happen — if it requires manual effort, you’ll eventually stop doing it
- Cloud storage alone is not a backup strategy — if you delete a file from Google Drive, it’s deleted from every synced device
- The cost of a proper backup system ($100-300 for hardware + $50-100/year for cloud) is trivial compared to the cost of data loss
The 3-2-1 Rule Explained
The numbers are specific and each one solves a different problem.
3 copies protects against hardware failure. Hard drives fail. SSDs fail. Everything fails eventually. If you have one copy and the drive dies, your data is gone. Two copies is better — the chance of both drives failing simultaneously is low. Three copies makes data loss from hardware failure statistically negligible. One copy is your working data (on your computer). The other two are backups.
2 different media types protects against correlated failures. If both your backups are on identical USB drives from the same manufacturer and batch, a manufacturing defect could kill both. If both are on the same NAS with RAID, a firmware bug or ransomware attack hits everything at once. Using different media (one local drive plus one cloud service, or one NAS plus one external drive) ensures a single failure mode can’t destroy all copies.
1 off-site copy protects against physical disasters. Fire, flood, theft, lightning strike — any event that destroys everything in one location. Your house burning down takes your computer, your NAS, and that external drive in the desk drawer. An off-site copy (cloud storage or a drive stored at a friend’s house, a family member’s place, or a bank safe deposit box) survives because it’s geographically separated.
The photographer in the opening would have survived if he’d had any off-site copy. His two local copies couldn’t protect against an attack that affected everything on his network.
What to Back Up (And What Not To)
Not everything needs the same backup treatment. Categorize your data by replaceability:
Irreplaceable data — photos, personal videos, important documents, creative work, research data. This gets full 3-2-1 treatment. If it can’t be downloaded again, rewritten, or recreated, it needs robust backup.
Difficult to replace — application settings and configurations, email archives, bookmarks, financial records, tax documents. Back this up, but a single reliable backup might be sufficient for some of it.
Easy to replace — installed applications, operating systems, media you can re-download (music from streaming services, purchased games on Steam). These don’t need backup; they need a list of what to reinstall. Keep a document listing your installed software, license keys, and account credentials (stored in your password manager).
Not worth backing up — temporary files, browser cache, downloads folder contents (move important downloads elsewhere), anything you’d be relieved to delete.
Most people have 50-500GB of truly irreplaceable data (mostly photos and videos) and several terabytes of replaceable media. Focus your backup budget and effort on the irreplaceable stuff.
Local Backup: The First Layer
Your first backup copy should be local — on a drive you physically control. Local backups are fast (no internet upload speeds to wait on), fully under your control, and available even without internet.
External Hard Drive
The simplest option. A 4TB external USB drive costs about $80. Plug it in, set up automated backups, done.
On macOS: Time Machine is built in, well-designed, and automatic. Plug in the external drive, click “Use as Backup Disk” when prompted, and macOS handles everything — hourly incremental backups, version history, and easy restores. Time Machine is honestly one of the best backup tools ever built for normal people.
On Windows: File History (Settings > Update & Security > Backup) provides automatic versioned backups to an external drive. It’s more limited than Time Machine but functional. For more control, use free tools like Veeam Agent for Microsoft Windows Free, or the built-in Windows Backup (which now backs up to both local storage and OneDrive).
On Linux: rsync with a cron job is the traditional approach. For a friendlier experience, Deja Dup (GNOME’s built-in backup tool) provides a GUI wrapper around duplicity with scheduling and encryption. BorgBackup is excellent for power users — it deduplicates, compresses, and encrypts, and a 500GB dataset with incremental changes might only use 50GB of backup space.
The critical detail: don’t leave the external drive permanently connected. A ransomware attack or accidental mass deletion affects connected drives. Back up regularly (daily or weekly), then disconnect the drive. If you want always-connected local backup, use a NAS with snapshots (covered below).
NAS (Network Attached Storage)
A NAS is a dedicated file server on your network — always on, always accessible, backing up multiple computers automatically. Synology and QNAP are the major consumer brands. A Synology DS224+ ($300) with two 4TB drives in RAID 1 (mirror) gives you 4TB of storage that survives a single drive failure.
NAS advantages over an external drive: it backs up every computer on your network (not just one), it’s always connected and accessible, it runs scheduled snapshots (point-in-time copies that ransomware can’t easily destroy), and it can serve as a media server, file share, and self-hosting platform simultaneously.
Important: RAID is not backup. RAID protects against drive failure but not against accidental deletion, ransomware, corruption, or physical disaster. RAID means your NAS keeps running if one drive dies. You still need the other two copies in the 3-2-1 strategy.
Cloud Backup: The Off-Site Layer
Cloud backup solves the off-site requirement without you needing to physically transport drives to another location. Your data is stored in a data center far from your home, surviving anything that could happen locally.
Dedicated Cloud Backup Services
These are specifically designed for backup — unlimited or high-capacity storage at flat monthly rates:
Backblaze Personal Backup ($99/year) backs up your entire computer continuously with unlimited storage. It’s set-and-forget: install the app, let it upload, and your computer is backed up. Restores are available as downloads or they’ll ship you a hard drive ($189 refundable deposit). The simplicity is the selling point. The limitation: it only backs up directly connected drives, not NAS volumes or network shares.
Backblaze B2 ($6/TB/month for storage, $0.01/GB for downloads) is object storage — think of it as raw cloud storage you can connect various backup tools to. More flexible than Personal Backup but requires a backup application to manage the process. BorgBackup with borgmatic, or Restic, can back up to B2 efficiently with deduplication and encryption.
iDrive ($80/year for 5TB) backs up unlimited devices (computers, phones, NAS) with 5TB total storage. It supports NAS backup directly, which Backblaze Personal doesn’t. Good for families with multiple devices.
Arq Backup ($50 one-time for the app, then pay for your chosen cloud storage) lets you encrypt and back up to any storage provider: AWS S3, Google Cloud Storage, Backblaze B2, or even your own server. Maximum flexibility, maximum control.
Cloud Storage vs Cloud Backup
This distinction matters. Cloud storage (Google Drive, Dropbox, iCloud Drive, OneDrive) syncs files between your devices. If you delete a file on your computer, it gets deleted from the cloud. If ransomware encrypts files on your computer, the encrypted versions sync to the cloud. Sync services typically keep deleted files for 30-90 days, which gives you some protection, but it’s not the same as a proper backup with long retention.
Cloud backup (Backblaze, iDrive, Arq) makes independent copies of your files. Deleting a file on your computer doesn’t delete the backup. Ransomware encrypting your local files doesn’t affect the backup. Backups retain versions over time, so you can restore a file as it was last week, last month, or last year.
You can use cloud storage as one component of a backup strategy — keeping your documents in Google Drive means they exist in Google’s data centers and are protected against local hardware failure. But relying on cloud storage as your only backup is risky because of the sync problem. Use it as a convenience layer, not a backup layer.
Implementing 3-2-1: Real Examples
Simple Setup (One Person, Limited Budget)
- Copy 1: Your computer (working copy)
- Copy 2: 4TB external USB drive ($80), backing up weekly with Time Machine / File History / Deja Dup
- Copy 3: Backblaze Personal Backup ($99/year), continuous cloud backup
Total cost: ~$180 first year, $99/year ongoing. This protects against hardware failure (external drive), ransomware (Backblaze has independent copies), theft/fire (Backblaze is off-site). It’s simple, automated, and covers the 3-2-1 requirements.
Family Setup (Multiple Computers, Photos, NAS)
- Copy 1: Each family member’s computer (working copies)
- Copy 2: Synology DS224+ NAS ($300) with 2x 4TB drives in RAID 1 ($140 for drives). All computers back up to the NAS automatically. NAS also stores shared photo library.
- Copy 3: NAS backs up critical folders to Backblaze B2 ($6/TB/month) using Synology’s Hyper Backup app. Alternatively, iDrive ($80/year for 5TB) backs up NAS and all computers.
Total cost: ~$520 first year, $70-150/year ongoing. The NAS serves as both backup destination and file server. B2 or iDrive provides the off-site copy. Photos exist on phones, the NAS, and the cloud — three copies across multiple media types and locations.
Power User Setup (Serious About Data)
- Copy 1: Working data on computers
- Copy 2: NAS with snapshots (Synology/TrueNAS) — immune to ransomware because snapshots are read-only
- Copy 3a: Automated cloud backup to Backblaze B2 with client-side encryption (your cloud provider can’t read your data)
- Copy 3b: Quarterly manual backup to an external drive stored in a safe deposit box or at a trusted friend’s house
This exceeds 3-2-1 — it’s closer to 4-3-2 (four copies, three media types, two off-site locations). The quarterly off-site drive protects against the scenario where both your NAS and your cloud provider have simultaneous issues (unlikely but not impossible).
Testing Your Backups
A backup you’ve never restored from is Schrodinger’s backup — it may or may not contain your data. You won’t know until you try.
Test quarterly. Pick a few random files — a photo from last year, a document from six months ago, a folder of project files. Restore them from your backup and verify they’re intact. This takes 10 minutes and confirms your backup system actually works.
Test your full restore process at least once. Can you restore your computer from scratch using just your backups? If your laptop died today, how long would it take to get back to a working state? Walk through the process mentally, and ideally test it on a spare machine or VM. You might discover that your backup doesn’t include your SSH keys, your application license files, or your browser bookmarks. Better to discover this during a test than during an emergency.
Verify backup automation is still running. Automated backups silently stop all the time — the external drive fills up, the backup service subscription lapses, a software update breaks the scheduled task. Check your backup status monthly. Backblaze and iDrive send email alerts when backups stop — make sure these emails aren’t going to spam.
Special Cases
Photos and Videos
For many people, photos are the most irreplaceable data they have. Phones make this easier than it used to be — iCloud Photos, Google Photos, and Amazon Photos all provide automatic cloud backup of your phone’s camera roll.
But cloud photo services are sync, not backup. Delete a photo from your phone and it eventually deletes from the cloud (after a trash retention period). The backup strategy for photos: let your phone sync to a cloud photo service for convenience, but also maintain a separate backup. Tools like PhotoSync (iOS/Android) can automatically send photos to your NAS over your home network. Synology Photos (the built-in photo app on Synology NAS) provides a Google Photos-like experience with local storage.
The ultimate photo backup: phone syncs to cloud (iCloud/Google Photos) for convenience and off-site protection. Phone also syncs to NAS for local copy. NAS backs up to B2 for a second off-site copy. Three copies, three locations, fully automated.
Version Control for Documents
Standard backup gives you snapshots in time. But if you’re working on a document and need to see what you wrote last Thursday, you need versioned backup.
Time Machine (macOS) and File History (Windows) both keep versions. BorgBackup keeps versions. Most cloud backup services keep 30-90 day version history. For critical documents (legal files, contracts, creative writing), consider using Git for version control — it tracks every change you make and lets you revert to any previous state. Yes, Git works for non-code files too.
For an even simpler approach, keep critical documents in a folder synced to cloud storage (Google Drive, Dropbox) that maintains version history, AND back up that folder to a local drive. The cloud gives you version history and off-site protection; the local drive gives you fast, reliable access independent of internet connectivity.
Encrypting Backups
If your off-site backup is in the cloud, encryption matters. You’re trusting a third party with your data. Client-side encryption (encrypting before upload) means the provider stores only encrypted data they can’t read.
BorgBackup and Restic support client-side encryption natively. Arq Backup encrypts everything before uploading. Backblaze Personal Backup encrypts your data but manages the key on their side by default — you can set a private encryption key in settings (do this during initial setup). Synology Hyper Backup supports client-side encryption for B2 and other targets.
Don’t encrypt your local backup unless you have a specific threat model that requires it (like protecting against physical theft of the drive). If you encrypt your local backup and forget the password, you’ve effectively destroyed your own backup. Local backup encryption is appropriate for portable drives that leave your home; it’s unnecessary overhead for a drive sitting in your closet.
Frequently Asked Questions
How long does the initial cloud backup take?
It depends on your data size and internet upload speed. For 500GB of data on a 10 Mbps upload connection: about 4-5 days of continuous uploading. For 2TB: 2-3 weeks. This is the most painful part of cloud backup — the initial upload. After that, incremental backups (only changed data) are fast, typically finishing in minutes to hours daily. Backblaze, iDrive, and Arq all support throttling so the upload doesn’t saturate your internet connection during the day.
Is Google Drive / iCloud / OneDrive enough as my backup?
As your only backup, no. These are sync services: they keep files in sync across devices and in the cloud, but deleting or corrupting a file locally propagates to the cloud. They do offer trash retention (30-90 days typically) and version history, which provides some protection. As one layer of a multi-layer strategy, they’re fine. Just don’t rely on them as your only protection. Combine cloud sync with a local backup for proper 3-2-1 coverage.
What about RAID — doesn’t that protect my data?
RAID protects against drive failure, not data loss. If a drive in a RAID array dies, the array continues operating (depending on RAID level) and you replace the dead drive. But RAID doesn’t protect against accidental deletion, ransomware, software corruption, fire, theft, or user error. RAID keeps your server running when hardware fails. Backup keeps your data safe when anything fails. You need both.
How often should I back up?
Depends on how much data you can afford to lose. If losing a week of work is acceptable, weekly backups are fine. If losing a day’s work would be painful, daily backups. For truly irreplaceable active projects, continuous backup (like Backblaze’s default) or hourly snapshots (like Time Machine) make sense. For most people: continuous cloud backup (set and forget), daily local backup to NAS, and weekly backup to external drive is a strong cadence.
What’s the cheapest possible 3-2-1 setup?
A 1TB external USB drive ($40) for local backup, plus a Backblaze Personal Backup subscription ($99/year, or $7/month), plus your computer as the working copy. Total: $140 first year, $99/year after. This gives you local backup for fast restores, cloud backup for off-site protection, and automatic operation. You could go even cheaper by using a free cloud tier (Google Drive 15GB, iCloud 5GB) for your most critical small files and a USB drive for everything else, but the limited free cloud storage only covers documents, not photos or videos.
