The 3-2-1 backup rule
and how to actually implement it

What is the 3-2-1 rule?

• 3 copies:Your primary data plus two backups. If you only have one backup and it is corrupt, you have nothing.
• 2 media types:Your primary on one type of storage, backup on another. If both are hard drives in the same machine, a firmware bug or power surge can take both out.
• 1 offsite copy:Physically separate from your primary location. This is the copy that survives fire, flooding, theft, and ransomware that spreads through the local network.

Why most setups fail the third rule

RAID is not backup. A second disk in the same machine is not offsite. A NAS in the same building is not offsite. Cloud sync (Dropbox, Google Drive) is not quite the same as backup - sync propagates deletions and ransomware encryption to the remote copy.

Real offsite backup means: immutable snapshots, physically separate location, encrypted with a key you control.

A practical 3-2-1 setup for homelabs and Linux servers

• Copy 1 (primary):Your running data on your main machine or NAS.
• Copy 2 (local backup):Restic backup to an external drive, a second NAS, or a Proxmox Backup Server on the same LAN.
• Copy 3 (offsite):Restic over SFTP to a private encrypted vault on ServerCrate. Physically in Los Angeles, encrypted with your key, accessible from anywhere.

Setting up the offsite copy with restic

# Set up credentials
sudo tee /etc/restic/env <<EOF
RESTIC_REPOSITORY=sftp:vaultuser@vault.servercrate.net:22150:/data
RESTIC_PASSWORD=your-strong-password
EOF
sudo chmod 600 /etc/restic/env

source /etc/restic/env
restic init

# First offsite backup
restic backup /home /etc /var/www \
  --tag offsite \
  --exclude="*/cache" \
  --exclude="*/tmp"

# Verify it worked
restic snapshots

Testing your backup - the step everyone skips

A backup you have never tested is not a backup, it is a hope. Schedule a restore drill every 90 days. Restore a random file and verify it opens correctly. Restore a full directory to a temp location and check it. This takes 15 minutes and is worth more than any monitoring dashboard.

# Test restore of a specific file
restic restore latest \
  --target /tmp/restore-test \
  --include /etc/nginx/nginx.conf

cat /tmp/restore-test/etc/nginx/nginx.conf

Modern extensions to 3-2-1

Some people recommend 3-2-1-1-0: an additional immutable copy (1) with zero errors verified (0). Restic's restic check command handles the zero-errors verification. An append-only remote repository handles immutability - once written, old snapshots cannot be deleted even if an attacker gains access to your backup credentials.

3-2-1 for different environments

• Homelab (Proxmox):Copy 1 = running VMs. Copy 2 = Proxmox Backup Server on local NAS. Copy 3 = Restic to ServerCrate for configs, app data, and critical files. See the Proxmox offsite backup guide.
• Linux VPS:Copy 1 = live server. Copy 2 = provider snapshot (if available). Copy 3 = Restic to ServerCrate. Provider snapshots don't count as offsite - they are still in the same provider infrastructure. See the VPS backup service page.
• NAS (TrueNAS/Synology):Copy 1 = NAS primary pool. Copy 2 = NAS parity / ZFS mirror. Copy 3 = Restic to ServerCrate over SFTP. See the NAS offsite backup guide.
• Docker setup:Copy 1 = running containers with bind mounts. Copy 2 = daily database dumps on local disk. Copy 3 = Restic to ServerCrate including dumps and compose configs. See the Docker backup guide.

Modern extensions to 3-2-1

The original 3-2-1 rule predates ransomware as a mainstream threat. Modern variants add a fourth requirement: at least one copy must be immutable or append-only, so ransomware that encrypts your primary data and local backup cannot also destroy the offsite copy.

Restic with ServerCrate provides strong isolation for the offsite copy - the vault is only writable via SFTP with your credentials, not mounted as a network drive or accessible via SMB. An attacker who compromises your primary machine cannot reach the vault without your SFTP credentials. This makes it a practical ransomware-resilient offsite component for most homelab and small business setups.

The step everyone skips: testing restores

Having three copies means nothing if none of them are actually restorable. Schedule a restore test monthly: pick a random file from your most recent snapshot and restore it. Quarterly, do a full directory restore to a temporary location. The restic restore guide has copy-paste commands for every scenario. ServerCrate has no egress fees so testing costs you nothing beyond a few minutes of time.

Common misconceptions about 3-2-1

After a decade of people trying to follow the 3-2-1 rule, several patterns of self-deception have emerged. Avoid these traps:

• "My RAID array counts as two copies." It doesn't. RAID protects against drive failure - it does not protect against accidental deletion, filesystem corruption, ransomware, a power surge that kills every drive, or a thief who takes the whole NAS. RAID is one copy spread across multiple disks for availability, not three copies for durability.
• "My cloud sync service is my offsite backup." It usually isn't. Dropbox, Google Drive, iCloud, and OneDrive sync changes bidirectionally. If ransomware encrypts your files, it will cheerfully sync the encrypted versions up and replace your good copies. Sync is not backup. A proper offsite backup is write-protected from the source - Restic against an SFTP vault fits this, a synced folder doesn't.
• "Two copies on the same server = two copies." No. "Media types" in the original rule meant genuinely independent storage - an internal drive plus an external USB drive, or a NAS plus cloud. Two partitions on the same disk are one copy. Two VMs on the same physical host are one copy.
• "I can skip offsite if my local backup is encrypted." Encryption protects confidentiality, not availability. If your building burns down, your encrypted local backup burned with it. Offsite is about physical separation from the primary failure domain.
• "Versioning isn't part of 3-2-1." Technically correct, but ransomware makes versioning essential. A single latest-snapshot-only backup can be overwritten with encrypted garbage before you notice. Restic's snapshot model keeps historical versions automatically - tune your retention with restic forget to keep enough history to survive a delayed attack.

Why offsite matters more than any other component

If you had to pick only one of the three copies to keep, it would be the offsite one. A single offsite encrypted backup beats a perfect local 3-2-0 setup because the threats that kill local backups - fire, flood, theft, ransomware that spreads laterally across the LAN - tend to kill them all at once. The offsite copy is the one that survives the bad day.

That's why ServerCrate is designed as an offsite-only service. We're not trying to replace your primary storage or your local NAS. We're the third copy that's sitting in a different building, on different hardware, behind an SFTP endpoint your primary network doesn't have credentials to without the RESTIC_PASSWORD on disk.

Minimum practical 3-2-1 setups

Not everyone needs enterprise-grade backup infrastructure. Here are minimum setups that actually satisfy 3-2-1 for different scales:

• Solo developer, laptop only: Laptop (1) + Time Machine or rsnapshot to an external USB drive (2) + Restic to ServerCrate (3). Total cost: one external drive plus $5/month.
• Homelab with one server: Server (1) + nightly rsync to a second disk in the same box (2, same physical host so really 1.5) + Restic to ServerCrate (3). Upgrade path: add a dedicated backup machine as the real second copy.
• Small business, 5-10 people: Workstations (1) + file server with versioned snapshots (2) + Restic from the file server to ServerCrate (3). One person runs the backup, one other person knows how to trigger a restore.
• Multi-site org: Primary (1) + on-site backup appliance (2) + offsite replication to separate geographic region (3). This usually justifies a dedicated backup admin and something heavier than Restic - but Restic still works fine at this scale if you prefer simplicity.