Your digital data is vulnerable to three major threats: hardware failure, loss or theft, and cyberattacks (especially ransomware). An encrypted backup strategy protects against all these threats simultaneously. Here's how to set one up.
The 3-2-1 Backup Rule
The golden rule of backup is simple to remember:
- 3 copies of your data
- 2 different media (external hard drive, cloud, USB drive)
- 1 off-site copy (at a physically separate location)
This rule ensures that even in case of fire, flood, or theft at your home, a copy of your data is preserved.
Why Encryption Is Essential
An unencrypted backup is like a safe with the door open. If someone accesses your backup drive (theft, cloud service hack), they access all your data in plain text.
Encryption ensures that even if an attacker gets hold of your backup, they cannot read its contents without the decryption key. With modern algorithms like XChaCha20-Poly1305, brute-force is mathematically infeasible.
Encrypted Backup Tools
Local Encrypted Backup
VeraCrypt: creates encrypted volumes on your local drives. Open source, free, and very robust. You can encrypt an entire external hard drive for your physical backups.
BitLocker (Windows) and FileVault (Mac): encrypt your entire hard drive. Simple to enable, integrated into the system.
Encrypted Cloud Backup
Backblaze: automatic cloud backup service with optional client-side encryption. Affordable and reliable.
Arq Backup: software that encrypts your data before sending it to your preferred cloud (S3, B2, Google Drive, etc.). The encryption key stays with you.
Proton Drive: cloud with full end-to-end encryption, hosted in Switzerland. Good option for sensitive documents.
Restic: open-source command-line backup tool with built-in deduplication and encryption. Ideal for technical users.
What to Avoid
iCloud, Google Drive, Dropbox without additional encryption: these services encrypt your data, but they have access to the decryption keys. They can be compelled to hand over your data to authorities. For non-sensitive data, this is acceptable. For confidential data, add an encryption layer (Cryptomator, for example).
The Recommended Backup Strategy
Level 1: Automatic Local Backup
Configure automatic daily backup to an encrypted external hard drive (Time Machine on Mac, Windows Backup, or Veeam). This drive should stay connected to your computer or be plugged in regularly.
Level 2: Encrypted Cloud Backup
Add automatic cloud backup with client-side encryption. Backblaze Personal Backup is an excellent option for individuals. Your data is encrypted before uploading.
Level 3: Off-Site Archiving
For your most critical data (identity documents, digital wills, crypto recovery keys), create an encrypted archive and store it at a physically separate location: at a trusted loved one's home, in a bank safe, or with your notary.
Encrypting Your Most Sensitive Data Before Backup
For ultra-sensitive data (crypto recovery phrase, master passwords, medical data), add specific encryption before any backup. Use GnuPG or age to encrypt individual files with an asymmetric key.
Testing Your Backups Regularly
A backup you've never tested is not a backup; it's an illusion of security. Schedule a monthly restoration test:
- Select a random file from your backup
- Restore it to a different location
- Verify it's intact and readable
Backup and Digital Legacy
Backing up your data is the first step in preparing your digital legacy. But it's not enough if your loved ones don't know where your backups are or how to access them.
Complete your strategy with EchoPass: store access information for your backups (encryption passwords, drive locations) in an encrypted message that will be automatically delivered to your loved ones in case of prolonged absence.