Why this matters
There is an old line among the people who do this for a living: one copy is no copy. A file that exists in only one place is one spilled coffee, one dropped laptop, one stolen bag away from being gone for good.
Three different troubles take files, and a real backup answers all three. A drive fails or a laptop is stolen, so you need another copy. A fire or a flood hits your home, so one copy has to live somewhere else. And ransomware, the software that scrambles everything it can reach and demands payment, has made a fourth point sharp: at least one copy must sit beyond its reach.
The plan that covers all of this is simple enough to remember as three numbers, and the rest of this guide is how to set it up. The one addition worth making from the start is encryption. A copy you keep elsewhere is a copy you no longer guard, so it should be scrambled with a key only you hold, which makes a stolen drive or a leaked cloud account worthless to whoever ends up with it.
Keep three copies of anything you cannot bear to lose, on two kinds of storage, with one elsewhere, and encrypt them so only you can open them.
The rule in plain words
The 3-2-1 rule is endorsed by the security agencies as the baseline for good reason. Each number closes a different gap.
Three copies means the original plus two backups. With three, the chance of all of them failing at the same moment is small enough to forget about. Two copies is a fair start, and three is the standard the rule sets.
Two kinds of storage means not putting every copy on the same type of thing. Two external drives from the same batch can fail the same way in the same week. An internal drive and an external drive, or a drive and a cloud, do not share a single point of failure.
One offsite means one copy that is not in your home. If everything you own is in one building, one fire or one burglary takes the lot, backups included. A copy in the cloud, or a drive at a relative’s house, survives the day your home does not.
Professionals often stretch this to 3-2-1-1-0: one copy kept offline or otherwise unchangeable, and zero backups left untested. Both are habits rather than extra hardware, and both are covered below, because a backup ransomware can reach, or one that never restores, is not a backup.
What to back up
Not everything is worth the trouble, and treating it all the same is how people give up. Sort what you have into two piles.
The first pile is the irreplaceable: your photos and videos, documents you made, the recovery codes and keys that get you into everything else, and any self-custody crypto. Lose these and no shop can sell you another. This pile is what the three copies are for.
The second pile is everything you could get back with time and patience: the operating system, apps, films and music you can download again, files already held by a service. These are worth backing up for convenience, and losing them is an annoyance rather than a wound. Spend your care on the first pile.
If the whole project feels large, begin with the one folder of family photos. It is the thing people grieve most when it is gone, and getting it into three copies tonight is a real win on its own.
Set up the three copies
The three copies are your device, a drive at home, and a copy that lives elsewhere. Encrypt each one as you go.
Turn on full-disk encryption first
Your working machine is copy one, and locking it is step one. Turn on the built-in full-disk encryption: BitLocker on Windows, FileVault on Mac, LUKS on Linux. Now a stolen laptop is a lump of scrambled metal rather than an open door, and the copies that follow inherit the same habit.
Back up to an encrypted external drive
Get an external drive and let the built-in tool use it: File History on Windows, Time Machine on Mac, which can encrypt the drive as it backs up. On Linux, a tool like Déjà Dup does the same. Encrypt the drive, and unplug it between backups, which matters for the ransomware section below.
Send an encrypted copy elsewhere
The third copy leaves your home, so it must be scrambled before it goes. Cryptomator encrypts your files on your own machine and syncs the scrambled result to any cloud, so the provider holds only nonsense and never your key. For a full automated backup, restic or Borg encrypt everything and upload only what changed. A drive kept at a relative’s house works too, if it is encrypted.
Make it happen without you
Set the backups on a schedule so they run on their own, daily for most people. The whole plan fails quietly if it depends on you remembering, so let the machine remember instead.
Prove a backup works
Pick a file, pretend it is lost, and restore it from each copy. A backup you have never restored is a hope, not a backup. Do this once now, and again every few months, and you will never meet a corrupted backup for the first time during a real emergency.
Encryption only helps if you control the key, and it only forgives you if you do not lose it. Keep each passphrase somewhere safe and separate from the backup itself. Lose the key and the backup is as gone as if it burned, which is why the sealed handover guide exists.
Beating ransomware
Ransomware is the case the ordinary backup misses, because it is built to take your backups too.
When it lands, it encrypts everything it can reach and asks for money to unlock it. The catch is what it can reach: every drive plugged in at that moment, and every cloud folder syncing in the background. A backup that is always connected is a backup ransomware encrypts alongside the original.
The answer is one copy it cannot touch. An external drive you unplug between backups is offline when the attack comes, so it survives untouched. A cloud service that keeps old versions of your files lets you roll back to the morning before, even if the live copies were scrambled. Either way, the rule’s offsite copy becomes the one that brings you back.
Of all the steps here, the drive you physically disconnect is the one that defeats ransomware outright. Back up to it, unplug it, and a bad day stays a bad day instead of becoming a lost decade of photos.
If something breaks
| Symptom | What to try |
|---|---|
| the backup is taking forever | The first backup copies everything and is slow. Later ones copy only changes and are quick. Leave the first to run overnight. |
| I am running out of space | Back up the irreplaceable pile, not the whole disk. Drop films and apps you can download again. |
| I forgot the encryption passphrase | There is no master key by design. This is why the passphrase must be stored safely and separately, where a trusted person can also find it. |
| the cloud copy feels too slow to trust | Use the local drive for day-to-day restores and the cloud as the offsite safety net. They have different jobs. |
| I never remember to plug the drive in | Use a backup tool that prompts you, and pick a fixed day. Or add a cloud copy that needs no plugging in. |
| I do not know if my backup works | Restore a single file today. If it comes back and opens, the backup is real. If it does not, fix it now, not later. |
Quick reference
| Copy | What it is |
|---|---|
| One | Your device, with full-disk encryption on. |
| Two | An encrypted external drive, unplugged between backups. |
| Three | An offsite copy, encrypted before it leaves: Cryptomator to a cloud, or restic or Borg. |
| Two media | Make the copies different kinds of storage, not two of the same. |
| The habit | Automate it, and test a restore every few months. |
| Against ransomware | Keep one copy offline or version-controlled. |
| The key | Hold your own passphrase, stored safely and separately. |
Common questions
The questions people ask before they finally set up the backup they have meant to for years.
What is the 3-2-1 rule?
Three copies of your data, on two different kinds of storage, with one kept somewhere else. The three copies cover a drive that fails, the two kinds of storage cover a fault that hits one of them, and the offsite copy covers a fire or a theft that reaches your home.
Do I need to encrypt my backups?
Yes, the offsite one above all. A backup drive is as easy to steal as a laptop, and a cloud account can leak. Encrypt each copy with a key you hold, and a stolen or leaked backup is a brick to whoever finds it.
What is the best way to back up to the cloud privately?
Encrypt before it leaves your machine. Cryptomator scrambles your files on your own computer so the cloud holds only nonsense and never sees your key. For a full backup, command-line tools like restic and Borg encrypt everything and upload only what changed.
Will a backup protect me from ransomware?
Only if the ransomware cannot reach it. It encrypts every drive and synced folder it can see, backups included. Keep one copy unplugged, or in a cloud that keeps old versions you can roll back to, and you can restore from before the attack.
How often should I back up?
Often enough that losing the gap would not hurt. For most people a daily automatic backup is about right. Automate it, because a backup that depends on you remembering is one you will forget.
Cloud or external drive?
Both, which is the point of the rule. An external drive is fast to restore from and stays in your hands. A cloud copy survives a fire at home. Use one as the nearby copy and the other as the offsite copy.
What if I lose the encryption password?
Then the backup is gone, the same as if it had burned. That is the cost of holding your own key. Keep the passphrase somewhere safe and separate, and make sure a trusted person could find it, which the handover guide covers.
Is my phone backed up too?
It should be. The photos and messages on a phone are often the least replaceable thing you own. Make sure they form part of one of your three copies, rather than living only on the phone itself.