GUIDE / BACKUP & ARCHIVE

    The 3-2-1 Backup Rule: Build a Backup Plan That Can Actually Restore

    One storage array is not a backup plan. Neither is RAID, a collection of snapshots, or a second disk permanently attached to the same server.

    Updated July 2026·15 min read·Applies to homelab & small business
    3
    Copies of your data
    Your production data and at least two backup copies.
    2
    Storage systems or media
    Avoid keeping every copy on the same server, array or storage platform.
    1
    Copy stored offsite
    Keep one copy outside the primary building, network or failure domain.
    01

    The rule at a glance

    The goal is to prevent one hardware failure, configuration error, ransomware incident, theft or physical disaster from destroying every copy at the same time.

    The rule is simple enough for a homelab and flexible enough for a business environment. The difficult part is deciding what counts as an independent copy and making sure those copies can actually be restored.

    SOURCE / CISA

    CISA describes the rule as three copies of important files, two different storage types and one copy stored away from the main location.

    The rule reduces dependency. When one system fails, another copy remains available. When the entire location is affected, the offsite copy provides another recovery path.

    What the number 3 means

    You should have three total copies: your working production data, plus a first and second backup copy. The production copy does not need to be duplicated manually — it is simply the data currently used by your applications, virtual machines, computers or file servers. For example:

    CopyLocation
    ProductionVirtual machines on a Proxmox cluster
    Backup copy oneProxmox Backup Server on a separate physical server
    Backup copy twoRemote PBS server, cloud repository or offline tape

    Three copies provide room for overlapping failures. A failed production disk may be recoverable from the local backup. If the local backup is also damaged, corrupted or unavailable, the third copy remains.

    More copies do not automatically provide more protection. Three backups stored on the same NAS can still disappear together.

    What the number 2 means

    The traditional interpretation recommends two different media types, such as disk and tape. Modern environments should also consider separate storage systems and separate failure domains. Two USB drives connected to the same computer may technically be separate devices, but they remain exposed to the same malware, power event, theft and user account.

    A stronger design pairs a local disk backup for fast recovery with object storage, tape or a remote backup server for independent recovery. The second storage system should not depend on the same controller, administrator account, power source or physical server as the first.

    Primary backupSecond backup
    NASCloud object storage
    Proxmox Backup ServerRemote PBS server
    Local backup applianceLTO tape
    External hard driveEncrypted cloud backup
    ZFS backup serverOffline removable disk
    Kubernetes backup repositoryObject storage in another region

    Using different media helps, but independence matters more than collecting different device types.

    What the number 1 means

    At least one backup copy should be stored offsite. An offsite backup protects against incidents that affect the entire primary location:

    1Fire
    2Flooding
    3Theft
    4Electrical damage
    5Building access problems
    6Ransomware spreading through the local network
    7Accidental deletion by an administrator

    An offsite copy could be:

    1A remote backup server in another office
    2A hosted Proxmox Backup Server
    3Cloud object storage
    4A tape stored in a secure external location
    5An encrypted removable drive stored elsewhere
    6A backup repository in another cloud region

    Offsite does not automatically mean protected. A cloud repository controlled through the same compromised administrator account may still be deleted, and a remote NAS permanently mounted to the production network may still be encrypted by ransomware. Location separation should therefore be combined with access separation.

    02

    What doesn't count as a backup

    Why RAID is not a backup

    RAID improves storage availability when a drive fails. It does not create an independent historical copy of your data. RAID normally cannot protect you from:

    1Accidental file deletion
    2Ransomware encryption
    3Application corruption
    4A failed storage controller
    5Theft of the server
    6Fire or water damage
    7Administrator mistakes
    8Multiple failed drives beyond the array tolerance

    When a file is deleted from a RAID array, the deletion is applied across the array. RAID faithfully preserves the current state, including unwanted changes. Use RAID to improve availability; use backups to recover earlier or independent versions of the data.

    Why snapshots alone are not enough

    Snapshots are useful for quick rollback, testing and recovering recently changed files. But a snapshot stored on the same production system is not an independent backup — if the pool, array, server or administrative account is compromised, the snapshots may disappear with the original data.

    Snapshots can be one layer of a backup strategy when they are replicated or copied to another protected system. They should not be the only recovery method.

    Why replication is not the same as backup

    Replication copies data from one system to another. That helps with availability, but it may also copy:

    1Corrupted files
    2Encrypted files
    3Accidental deletions
    4Incorrect configuration changes
    5Damaged database content

    Versioning and retention determine whether the destination can recover an earlier state. A replicated copy with no historical versions may provide redundancy without providing useful recovery.

    03

    Beyond the basics: the 3-2-1-1-0 rule

    Is the 3-2-1 rule still enough? The basic rule remains a strong foundation, but modern attacks often target backup systems directly. Ransomware operators may try to delete backup jobs, remove snapshots, erase repositories, compromise cloud accounts and disable recovery administrators.

    SOURCE / NCSC

    The NCSC notes that data stored on premises or in the cloud is not ransomware resistant by default. Its guidance recommends protection against destructive actions, access loss and corruption of later backup versions.

    This has led many organizations to extend the rule to 3-2-1-1-0:

    3Three copies of your data
    2Two storage systems or media
    1One copy stored offsite
    1One offline, air-gapped or immutable copy
    0Zero unverified recovery errors

    The extra copy should resist modification or deletion. Possible options include:

    1Offline LTO tape
    2A disconnected encrypted drive
    3Object storage with retention protection
    4An immutable backup repository
    5A hardened repository with restricted access
    6A backup service designed to resist destructive administrative actions

    The zero means that backups are checked and restores are tested. A backup job marked successful does not prove that the application, database or virtual machine can be recovered.

    SOURCE / CISA

    CISA recommends maintaining offline encrypted backups and regularly testing their availability and integrity in a disaster recovery scenario.

    04

    Reference architectures

    A practical 3-2-1 architecture for Proxmox

    A small Proxmox environment could use the following design:

    LayerExample
    ProductionProxmox VE virtual machines on local ZFS or shared storage
    Local backupProxmox Backup Server on separate hardware
    Offsite backupRemote PBS, hosted backup repository or cloud destination
    Protected copyImmutable object storage, offline disk or LTO tape
    VerificationScheduled verification jobs and regular test restores

    The local PBS copy provides fast restores. The remote or cloud copy protects against loss of the primary site. The protected copy provides another recovery path when online backup credentials or repositories are compromised. Read the Proxmox Backup Server guide for deduplication, remote sync and offline backup considerations.

    A practical strategy for a homelab

    A homelab does not need enterprise software to follow the rule. One possible setup:

    1Store production data on ZFS, Unraid or a NAS
    2Back up important data to another physical machine
    3Copy selected backups to encrypted cloud storage
    4Rotate an offline USB drive for critical files
    5Test a restore every month
    ×Do not treat another folder on the same NAS as the second copy.
    ×Do not leave every backup drive permanently connected.
    ×Do not place the only offsite copy in a cloud account with weak authentication.

    The objective is independence, not complexity.

    A practical strategy for a small business

    1Production servers and employee devices
    2A local backup appliance for fast recovery
    3A separate cloud or remote repository
    4Immutable retention or offline media
    5Separate backup administrator credentials
    6Documented recovery priorities
    7Scheduled restore testing

    Critical systems should be prioritized according to how much data the business can afford to lose and how quickly the systems must return. These requirements are commonly expressed through:

    RPO — RECOVERY POINT OBJECTIVE

    The maximum acceptable amount of data loss, measured in time.

    RTO — RECOVERY TIME OBJECTIVE

    The maximum acceptable period before the system must be operational again.

    A system with an eight hour backup schedule cannot reliably meet a one hour recovery point objective.

    05

    Build your strategy: seven steps

    STEP 1

    Identify what must be recovered

    Start with the data and systems that would cause real damage if lost. Not every temporary file needs the same protection.

    1Virtual machines
    2Databases
    3Business documents
    4Customer data
    5Application configuration
    6Source code
    7Identity systems
    8Encryption keys
    9Network configuration
    10Kubernetes manifests and persistent data
    STEP 2

    Define recovery requirements

    For each system, record the following. This prevents a backup schedule from being selected without understanding the actual business requirement.

    1How much data loss is acceptable
    2How quickly it must return
    3How long backups must be retained
    4Who is responsible for restoring it
    5What dependencies must also be recovered
    STEP 3

    Create the local backup

    The first backup should normally support quick recovery. Place it on a separate storage system where possible — the backup system should not share every failure point with production.

    1A dedicated PBS server
    2A backup NAS
    3A backup appliance
    4A separate ZFS server
    5A dedicated disk repository
    STEP 4

    Create the offsite copy

    Copy the backups to another physical location or independent cloud platform. Consider:

    1Available upload bandwidth
    2Initial backup size
    3Daily change rate
    4Retention requirements
    5Cloud retrieval charges
    6Encryption
    7Account recovery
    8Regional availability
    9Data residency requirements

    Read the cloud backup options guide when comparing online destinations.

    STEP 5

    Protect one copy from deletion

    Use an offline or immutable copy for important systems. Limit who can change retention policies or delete backups — where possible, production administrators should not have unrestricted control over every backup layer.

    SOURCE / NIST

    NIST guidance published in June 2026 recommends keeping a backup copy offline or otherwise protected so an attacker cannot reach or compromise it.

    STEP 6

    Automate the workflow

    Manual backups are easily forgotten. Automation should reduce repetitive work without hiding failures. Automate:

    1Backup creation
    2Backup copying
    3Retention
    4Verification
    5Failure alerts
    6Capacity alerts
    7Expiration of old backups
    STEP 7

    Test recovery

    Test different recovery levels. Record how long the restore takes and what prevents it from completing.

    1One deleted file
    2One virtual machine
    3One database
    4One application
    5An entire host
    6Loss of the primary backup repository
    7Loss of the main location
    SOURCE / NIST

    NIST warns that organizations may have backups without regularly confirming whether those backups can restore their systems.

    06

    Common 3-2-1 backup mistakes

    ×Keeping all copies on one server

    Separate folders and datasets do not protect against the loss of the physical system.

    ×Permanently mounting the backup repository

    A permanently accessible backup share may be reachable by malware or compromised administrator accounts.

    ×Using the same credentials everywhere

    One stolen account should not be able to delete production data, local backups and offsite backups.

    ×Confusing sync with backup

    A synchronization service may immediately copy a deletion or corrupted file to every connected device. Look for version history, retention and independent recovery.

    ×Never testing a full restore

    A backup can be complete while the recovery process still fails because of missing credentials, configuration, encryption keys or application dependencies.

    ×Ignoring the backup database

    Some platforms require catalogs, indexes or configuration databases to perform an efficient recovery. Protect the backup system configuration as well as the backup data.

    ×Keeping only recent backups

    Corruption or compromise may remain undiscovered for weeks. Retention should include enough historical versions to return to a known good point.

    ×Protecting data but not credentials

    Encryption keys, cloud recovery codes and administrative credentials must be available during a disaster without being exposed to normal production access.

    07

    Backup frequency and retention

    There is no universal schedule, but a simple starting point could be:

    Backup typeFrequencyRetention
    Frequent backupEvery four hoursTwo days
    Daily backupEvery nightFour weeks
    Weekly backupOnce per weekThree months
    Monthly backupOnce per monthOne year
    Annual archiveOnce per yearBased on legal or business requirements

    The schedule should follow recovery objectives rather than copying a generic template. High-change databases may need continuous or hourly protection; an archive of completed projects may only need periodic copies.

    08

    The 3-2-1 backup checklist

    0 / 14

    Use this checklist to review your environment — click to check off what you already have:

    A large number of successful backup jobs cannot replace a tested restore.

    09

    Frequently asked questions

    The 3-2-1 backup rule recommends keeping three total copies of your data, using two separate storage systems or media and storing at least one copy offsite.

    No. RAID protects against certain disk failures but normally does not protect against deletion, ransomware, corruption, theft or loss of the whole server.

    Snapshots can support recovery, but snapshots stored only on the production system are not independent backups. Copy or replicate them to another protected system.

    It can. The cloud repository should use versioning, encryption, strong authentication and protection against unauthorized deletion.

    They can contribute to the strategy when they are independent, properly rotated and not permanently connected. Keeping both drives beside the same computer provides limited protection from theft or physical damage.

    Backup frequency should be based on how much data you can afford to lose. A four hour recovery point objective generally requires backups or replication points at least every four hours.

    It is a strong foundation, but an offline or immutable copy and tested recovery provide stronger protection. This expanded model is often called the 3-2-1-1-0 rule.

    Recoverability. A backup has limited value until you know the data, applications and systems can be restored within the required time.

    Build independent recovery paths

    The strength of the 3-2-1 rule comes from separation. Your production system, local backup and offsite copy should not all depend on the same hardware, administrator account, storage platform or physical location.

    Start with three recoverable copies. Add access separation, immutability and restore testing as the environment becomes more important. A simple strategy that is regularly tested is safer than an elaborate backup design that nobody knows how to restore.