What Is the 3-2-1 Backup Rule?

The Rule Explained

The 3-2-1 rule was popularized by photographer Peter Krogh in his 2005 book on digital asset management, but the underlying principle is much older. It codifies a simple insight: redundancy across independent failure domains is the only reliable way to prevent permanent data loss. Each number in the rule addresses a specific class of risk.

3 copies means your original data plus two backup copies. The original is on your computer's hard drive or server's storage. The first backup copy might be on a local external drive or NAS. The second backup copy goes to a separate location or storage system. Three copies gives you tolerance for two simultaneous storage failures, which is statistically very unlikely to occur at the same time when the copies are on independent systems.

2 different media types means the copies should not all be on the same kind of storage. If all three copies are on identical hard drives from the same manufacturer, a firmware bug or batch defect could affect all of them simultaneously. By using different media types, such as an internal SSD plus an external HDD plus cloud object storage, you eliminate correlated failure modes. In practice, "different media" now often means "different storage systems" since even the same physical media type (hard drives) is acceptable when the drives are in different locations and on different controllers.

1 offsite copy protects against physical disasters that affect your primary location. A fire that destroys your office takes out both your server and the backup drive sitting next to it. Theft, flooding, power surges, and natural disasters all have the same effect. By keeping one copy in a geographically separate location, whether a cloud storage provider, a friend's house, or a data center in another city, you ensure that no single physical event can destroy all your data.

Why the 3-2-1 Rule Works

The mathematical basis for the 3-2-1 rule is straightforward. If a single storage device has a 1% annual probability of failure (which is optimistic for consumer hard drives that often see 2-4% annual failure rates), the probability of losing data on one device is 0.01. With two independent copies, the probability of both failing in the same year is 0.01 x 0.01 = 0.0001, or 0.01%. With three copies, it drops to 0.000001, or 0.0001%. This is a thousand-fold improvement for each additional copy.

But this math only holds when the copies fail independently. If all three copies are on the same RAID array, a controller failure can destroy all of them at once. If all three copies are in the same building, a fire destroys all of them. The "2 different media" and "1 offsite" requirements exist specifically to ensure independence between the copies. RAID is not a backup. It protects against individual drive failure within the array, but controller failures, firmware bugs, accidental file deletion, ransomware, and physical disasters all affect every drive in the array equally.

How to Implement 3-2-1 with Open Source Tools

A practical 3-2-1 implementation using open source tools requires two backup tools or one tool writing to two destinations. Here is a common, proven setup:

Copy 1 (original): Your computer or server's primary storage. This is the data you work with every day.

Copy 2 (local backup): Use BorgBackup or Restic to back up to a local external drive, NAS, or dedicated backup server on your network. Schedule daily backups with a 30-day retention policy. This copy provides fast restoration for everyday incidents like accidental deletion, software bugs, or drive failure. See our How to Set Up Automated Backups guide for configuration details.

Copy 3 (offsite backup): Use Restic to back up to Backblaze B2, Wasabi, or another cloud provider. Schedule daily backups with a 90-day or longer retention policy. This copy provides disaster recovery for events that destroy your primary location. Alternatively, use BorgBackup to back up to a remote server over SSH if you have access to one.

The local and offsite backups can run independently (two separate backup jobs to two different repositories) or the offsite can be a replication of the local (using rclone to sync a local BorgBackup repository to cloud storage). Independent backups are more reliable because a corruption issue in one repository does not affect the other.

Modern Variations: 3-2-1-1-0

The original 3-2-1 rule was developed before ransomware became a major threat. Modern attacks specifically target backup systems, looking for connected backup drives and network backup servers to encrypt alongside the primary data. This has led to updated versions of the rule that add additional requirements.

3-2-1-1-0 adds two numbers to the original rule:

The extra 1 stands for one copy that is air-gapped or immutable. An air-gapped copy is on storage that is physically disconnected from all networks when not in use (such as a USB drive that you plug in for backup and then disconnect). An immutable copy is stored on a system that prevents modification or deletion for a defined retention period (such as S3 Object Lock or Wasabi's immutable buckets). Either approach prevents ransomware from reaching the backup even if it compromises your network.

The 0 stands for zero errors in backup verification. This means you actively test restoration and verify backup integrity, not just assume the backups are good because the backup job reported success. A corrupted backup that has never been tested is worse than no backup at all because it gives a false sense of security. Restic's check command and BorgBackup's check command both verify repository integrity and should be run regularly.

Common Mistakes That Violate 3-2-1

Only backing up to a USB drive that stays plugged in. You have two copies (original + drive) on two media types, but zero offsite copies. If your location is damaged, both copies are lost. Add a cloud backup to fix this.

Backing up to another partition on the same drive. You technically have two copies, but on one media type. If the drive fails, both copies are gone. This is barely better than no backup at all.

Using only cloud sync as backup. Sync propagates deletions and corruption. You have one copy that is mirrored, not backed up. Use a proper backup tool that creates immutable snapshots.

Never testing restoration. You may have three copies, but if the backup is corrupted or the restore process fails, you effectively have zero usable copies. Test restoration monthly at minimum.

Storing backup encryption keys alongside the backup. If the backup server is compromised or destroyed, and the encryption key was only stored on that server, the offsite backup is permanently inaccessible. Store encryption keys in a separate, secure location such as a password manager or physical safe.