Data loss is an existential threat for businesses of any size. Whether ransomware, hardware failure, or human error — without a well-thought-out backup strategy, business data can be irretrievably lost. The 3-2-1 backup rule has been the recognized gold standard for reliable data protection for decades and can be efficiently implemented with modern open-source tools.
What Is the 3-2-1 Backup Rule?
The 3-2-1 rule defines three simple principles:
- 3 copies of your data (the original + 2 backups)
- 2 different media types (e.g., local disks + NAS or tape)
- 1 copy at an external location (offsite or cloud)
The principle is straightforward: any single security measure can fail. A hard drive can be defective, a location can be affected by fire or flooding, a ransomware attack can encrypt all connected systems. Only the combination of multiple independent protection layers provides true security.
Why a Simple Backup Is Not Enough
Many SMBs back up their data to an external hard drive or a NAS in the same server room. This protects against hardware failures — but not against:
| Risk | Simple Backup | 3-2-1 Backup |
|---|---|---|
| Hard drive failure | Protected | Protected |
| Ransomware | Often affected (same network access) | Protected (offsite copy isolated) |
| Fire / water damage | Not protected (same location) | Protected (external copy) |
| Accidental deletion | Only with versioning enabled | Protected (multiple copies + snapshots) |
| Theft | Not protected | Protected (external copy) |
| Software errors / corruption | Potentially replicated | Protected (different media) |
Ransomware is now the most common cause of data loss in SMBs. Attackers deliberately encrypt all accessible network shares — including NAS shares. Only an isolated offsite copy reliably protects in this scenario.
Implementing the 3-2-1 Rule in Practice
Copy 1: Production Data
Your production data typically resides on servers, in virtual machines, or on network shares. In a modern infrastructure with Proxmox VE, these are the virtual disks of your VMs and containers.
Copy 2: Local Backup
The first backup is performed locally — ideally to a separate storage system on the same network. Two proven solutions are available:
Proxmox Backup Server (PBS): Specifically designed for backing up Proxmox VMs and containers. PBS offers incremental backups with deduplication that dramatically reduce storage requirements. After the initial run, a complete VM backup often takes only seconds.
TrueNAS with ZFS Snapshots: TrueNAS creates instant, space-efficient snapshots of your data. ZFS snapshots are read-only and cannot be modified after creation — a natural protection against ransomware. Snapshots can be automated at freely configurable intervals.
Copy 3: Offsite Backup
The third copy must be stored at a physically separate location. Practical options for SMBs:
- ZFS replication to a second TrueNAS at another site — fully encrypted over the internet. ZFS Send/Receive transfers only changed data blocks, minimizing required bandwidth.
- Proxmox Backup Server Remote Sync — PBS can automatically replicate backups to a remote PBS server.
- S3-compatible cloud storage — Providers like Hetzner Storage Box or Wasabi offer affordable cloud storage. Both integrate directly with PBS or as backup targets.
- Encrypted USB drives in rotation — The simplest offsite solution: multiple encrypted drives regularly rotated between the office and a secure external location.
The Extended 3-2-1-1-0 Rule
Modern backup strategies extend the classic 3-2-1 rule with two additional points:
- 1 air-gapped or immutable copy — At least one backup copy should be physically or logically separated from the network. ZFS snapshots on TrueNAS are immutable as long as they are not actively deleted. Proxmox Backup Server also supports immutable backups with configurable retention periods.
- 0 errors during recovery — Backups that cannot be restored are worthless. Regular restore tests are mandatory. Proxmox VE allows restoring a backup into a temporary VM for verification without affecting production operations.
Automation Is Essential
A backup strategy only works when it runs automatically. Manual backups get forgotten, postponed, or executed incorrectly. Both Proxmox Backup Server and TrueNAS offer extensive automation capabilities:
- Scheduled backup jobs — Daily, weekly, or hourly backups on a customized schedule
- Automatic retention policies — Old backups are pruned according to defined rules (e.g., 7 daily, 4 weekly, 12 monthly backups)
- Monitoring and alerting — Notifications for failed backups via email or webhook
- Integrity checks — ZFS verifies checksums for all data blocks on every read. Silent data corruption (bitrot) is automatically detected and corrected when redundancy is available.
What Does a 3-2-1 Backup Solution Cost?
With open-source tools, professional backup infrastructures can be built at a fraction of the cost of proprietary solutions:
| Component | Proprietary (e.g., Veeam + Synology) | Open Source (PBS + TrueNAS) |
|---|---|---|
| Backup software | From €500/year (per socket) | Free |
| Local storage | ~€2,000 (Synology NAS) | ~€1,500 (TrueNAS-compatible hardware) |
| Offsite storage | ~€50/month (cloud) | ~€5/month (Hetzner Storage Box) |
| Annual license costs | €500–2,000 | €0 |
The savings go beyond software. ZFS deduplication and compression along with PBS incremental backups significantly reduce required storage space — often by 50–80% compared to full backups.
Frequently Asked Questions
What does the 3-2-1 backup rule mean?
The 3-2-1 rule states: Keep 3 copies of your data, on 2 different media types, with 1 copy at an external location. This protects your data against hardware failures, ransomware, and site disasters.
How often should backups be performed?
This depends on how much data loss your business can tolerate (RPO — Recovery Point Objective). For most SMBs, daily backups are the minimum. Critical systems should be backed up more frequently — Proxmox Backup Server enables hourly incremental backups with minimal storage requirements.
Does the 3-2-1 rule protect against ransomware?
Yes, provided the offsite copy is isolated from the network. Ransomware encrypts all accessible network shares. An offsite copy that is not directly accessible from the network remains protected. ZFS snapshots and immutable PBS backups provide additional protection.
How do I test if my backups work?
Perform regular restore tests. In Proxmox VE, you can restore a backup directly into a temporary VM and verify that the system starts correctly and data is complete. Plan at least quarterly full restore tests.
Want to implement a 3-2-1 backup strategy for your business? Contact us — we provide free consultation and implement a tailored backup solution for your infrastructure.
More on these topics:
More articles
Vaultwarden: Self-Hosted Password Manager for Teams
Run Vaultwarden as a self-hosted password manager: Docker deployment, reverse proxy, SMTP, 2FA enforcement, and backup strategy — the complete guide for teams.
Fail2ban: Automating Brute-Force Protection for Linux Servers
Install and configure Fail2ban: log parsing, jail.local, protecting SSH, Nginx, Postfix, and Dovecot, whitelists, email alerts, and a comparison with CrowdSec, sshguard, and CSF.
TrueNAS Dataset Encryption: ZFS Encryption in Practice
Understanding and implementing TrueNAS ZFS Encryption: dataset vs. pool encryption, passphrase vs. key file, key management, and performance impact with AES-NI.