← All articles
STORAGE The 3-2-1 Backup Strategy for Your Home Lab 2026-02-09 · backup · restic · borgbackup

The 3-2-1 Backup Strategy for Your Home Lab

Storage 2026-02-09 backup restic borgbackup rclone storage disaster-recovery

Here's a truth that every homelabber learns eventually, either through planning or through pain: your data doesn't exist unless it exists in three places. That hard drive you think is reliable will fail. Your NAS with RAID will have a controller die. Your house could flood. A ransomware attack could encrypt everything on your network.

The 3-2-1 rule is the minimum viable backup strategy:

This isn't paranoia — it's math. The probability of losing all three independent copies simultaneously is negligibly small. The probability of losing one copy is close to 100% over a long enough timeline.

Let's implement this for a real homelab.

What the 3-2-1 Rule Looks Like in Practice

For a typical homelab, the three copies are:

  1. Primary data — Your live files on your server, NAS, or workstation. This is what you use day to day.
  2. Local backup — A backup on your NAS, a separate drive, or a different machine on your network. Protects against hardware failure and accidental deletion.
  3. Offsite backup — A copy stored somewhere physically separate from your home. Protects against fire, flood, theft, ransomware, and anything else that could take out your entire local setup.

The "two different media types" requirement is less strict for homelabs. In the enterprise world, this means disk + tape. For us, having backups on a separate device (NAS vs workstation) and offsite (cloud) satisfies the spirit of the rule.

Choosing Your Backup Tools

There are dozens of backup tools. These three cover the homelab sweet spot:

Restic

Restic is a modern, fast, encrypted backup program. It deduplicates data, supports multiple storage backends (local, SFTP, S3, Backblaze B2, etc.), and is easy to script.

Strengths: Fast, encrypted by default, supports cloud storage natively, easy to learn. Weakness: No built-in scheduling (use cron or systemd timers).

BorgBackup

BorgBackup (borg) is similar to restic but with higher compression ratios and the ability to mount backups as filesystems. It's been around longer and is very well-tested.

Strengths: Excellent compression, mount backups with FUSE, mature and stable. Weakness: Doesn't natively support cloud storage (use rclone to sync borg repos offsite).

Rclone

Rclone isn't a backup tool per se — it's a sync tool for cloud storage. Think of it as rsync for cloud providers. It supports over 40 backends including Backblaze B2, AWS S3, Google Drive, Dropbox, and many more.

Use it for: Syncing local backup repos to cloud storage, or as a standalone sync tool for less critical data.

Layer 1: Local Backups with Restic

Let's back up your important data to a local NAS or separate drive.

Install Restic

# Ubuntu/Debian
sudo apt install restic

# Fedora
sudo dnf install restic

# Or download the latest binary
wget https://github.com/restic/restic/releases/download/v0.17.3/restic_0.17.3_linux_amd64.bz2
bunzip2 restic_0.17.3_linux_amd64.bz2
sudo mv restic_0.17.3_linux_amd64 /usr/local/bin/restic
sudo chmod +x /usr/local/bin/restic

Initialize a Backup Repository

# On a local NAS mount
restic init --repo /mnt/nas/backups/server1

# Or via SFTP to another machine
restic init --repo sftp:nas-user@192.168.1.50:/backups/server1

Restic will ask you for a password. This password encrypts your backups. Store it somewhere safe — without it, your backups are unrecoverable. Put it in your password manager and write a physical copy stored separately.

Run Your First Backup

# Set the repo and password as environment variables
export RESTIC_REPOSITORY=/mnt/nas/backups/server1
export RESTIC_PASSWORD="your-secure-password"

# Back up your important directories
restic backup /home /etc /var/lib/docker/volumes /opt

# Exclude unnecessary files
restic backup /home /etc /opt \
  --exclude="*.tmp" \
  --exclude=".cache" \
  --exclude="node_modules" \
  --exclude=".local/share/Trash"

Restic deduplicates automatically. The first backup transfers everything. Subsequent backups only transfer changed data.

Browse and Restore

# List all snapshots
restic snapshots

# Browse a snapshot's contents
restic ls latest

# Restore a specific file
restic restore latest --target /tmp/restore --include /home/user/documents/important.txt

# Restore everything from a specific snapshot
restic restore abc123 --target /tmp/full-restore

# Mount snapshots as a filesystem (browse like normal folders)
mkdir /mnt/restic
restic mount /mnt/restic
# Now browse /mnt/restic/snapshots/latest/

Prune Old Backups

Without pruning, your backup repo grows forever. Set a retention policy:

restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --keep-yearly 2 --prune

This keeps:

Everything else is removed and the space is reclaimed.

Layer 1 Alternative: BorgBackup

If you prefer borg:

# Install
sudo apt install borgbackup

# Initialize
borg init --encryption=repokey /mnt/nas/backups/server1-borg

# Backup
borg create /mnt/nas/backups/server1-borg::'{hostname}-{now}' \
  /home /etc /opt \
  --exclude '*.cache' \
  --exclude 'node_modules'

# Prune
borg prune /mnt/nas/backups/server1-borg \
  --keep-daily=7 \
  --keep-weekly=4 \
  --keep-monthly=12

# Mount and browse
mkdir /mnt/borg
borg mount /mnt/nas/backups/server1-borg /mnt/borg

Borg's compression is excellent. Use --compression auto,zstd for a good balance of speed and ratio.

Layer 2: Offsite Backups

Local backups protect against hardware failure. Offsite protects against everything else.

Backblaze B2: The Homelab Standard

Backblaze B2 is the most popular cloud storage for homelab backups because it's cheap:

For 500 GB of backups, you're looking at about $3/month.

Using Restic with B2 Directly

# Install B2 credentials
export B2_ACCOUNT_ID="your-account-id"
export B2_ACCOUNT_KEY="your-account-key"

# Initialize a B2 repo
restic init --repo b2:my-homelab-backups:server1

# Backup directly to B2
export RESTIC_REPOSITORY=b2:my-homelab-backups:server1
restic backup /home /etc /opt

This works but is slower than backing up locally first and then syncing. For large datasets, the two-stage approach is better.

Using Rclone to Sync Local Backups to B2

# Configure rclone (interactive setup)
rclone config
# Choose: New remote > name: b2 > type: Backblaze B2 > enter credentials

# Sync your local backup repo to B2
rclone sync /mnt/nas/backups/server1 b2:my-homelab-backups/server1 \
  --transfers 8 \
  --progress

This copies your encrypted restic/borg repo to B2. Since the repo is already encrypted, B2 sees nothing but encrypted chunks.

Other Offsite Options

Automating Everything

Manual backups don't happen. Automate with a systemd timer (preferred over cron for logging and dependency management).

Create /etc/systemd/system/restic-backup.service:

[Unit]
Description=Restic Backup
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
Environment="RESTIC_REPOSITORY=/mnt/nas/backups/server1"
Environment="RESTIC_PASSWORD_FILE=/root/.restic-password"
ExecStart=/usr/local/bin/restic backup /home /etc /opt --exclude-file=/etc/restic-excludes.txt
ExecStartPost=/usr/local/bin/restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune

Create /etc/systemd/system/restic-backup.timer:

[Unit]
Description=Run Restic Backup Daily

[Timer]
OnCalendar=*-*-* 02:00:00
RandomizedDelaySec=30m
Persistent=true

[Install]
WantedBy=timers.target

Enable it:

sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer

Add a second timer for offsite sync:

Create /etc/systemd/system/restic-offsite.service:

[Unit]
Description=Sync Backups to Backblaze B2
After=restic-backup.service

[Service]
Type=oneshot
ExecStart=/usr/bin/rclone sync /mnt/nas/backups/server1 b2:my-homelab-backups/server1 --transfers 8

Create /etc/systemd/system/restic-offsite.timer:

[Unit]
Description=Sync Backups Offsite Daily

[Timer]
OnCalendar=*-*-* 04:00:00
Persistent=true

[Install]
WantedBy=timers.target

Monitoring Your Backups

Backups that fail silently are worse than no backups — they give you false confidence.

Check Backup Status

# Verify the last backup ran
restic snapshots --latest 1

# Check repo integrity
restic check

# Full data verification (reads all data, slow but thorough)
restic check --read-data

Alert on Failures

Add notification to your backup service:

[Service]
Type=oneshot
ExecStart=/usr/local/bin/restic backup ...
ExecStartPost=/usr/bin/curl -d "Backup completed successfully" http://ntfy-server:8080/backups
OnFailure=backup-failure-notify.service

Create backup-failure-notify.service:

[Unit]
Description=Notify on Backup Failure

[Service]
Type=oneshot
ExecStart=/usr/bin/curl -d "BACKUP FAILED on %H - check logs" http://ntfy-server:8080/backups

Test Your Restores

This is the most important and most neglected part of any backup strategy. A backup you haven't tested restoring is a backup you're hoping works.

Schedule a quarterly restore test:

  1. Pick a random backup snapshot
  2. Restore it to a temporary directory
  3. Verify the files are intact and readable
  4. Delete the temporary restore
# Pick a snapshot from 2 weeks ago
restic snapshots

# Restore it
restic restore abc123 --target /tmp/restore-test

# Check some files
diff /home/user/documents/important.txt /tmp/restore-test/home/user/documents/important.txt

# Clean up
rm -rf /tmp/restore-test

If this ever fails, you want to find out during a test — not during an emergency.

What to Back Up

Not everything needs backing up. Focus on what's irreplaceable:

Always back up:

Don't bother backing up:

Back up databases properly:

# PostgreSQL
pg_dump mydb > /backup/staging/mydb.sql

# MySQL/MariaDB
mysqldump --all-databases > /backup/staging/all-databases.sql

# Then back up the dump files with restic/borg

Don't back up database data directories directly while the database is running — you'll get inconsistent data.

Cost Breakdown

A realistic 3-2-1 setup for a homelab:

Component Cost
Local backup (NAS you already have) $0 additional
Backblaze B2 (500 GB) ~$3/month
Restic + rclone + systemd Free
Total ~$3/month

For $36/year, you have encrypted, deduplicated, automated backups with local and offsite copies. Compare that to the cost of losing your family photos, your homelab configuration, or years of personal documents.

Common Mistakes

Backing up to the same drive: RAID is not a backup. A second partition on the same disk is not a backup. If the machine is stolen, catches fire, or gets hit by ransomware, local-only copies are all gone together.

Not encrypting offsite backups: Both restic and borg encrypt by default. If you're using rclone directly, add --crypt to encrypt before uploading. Never store unencrypted personal data on someone else's server.

Forgetting about restore time: If you have 5 TB offsite and your home internet download speed is 100 Mbps, a full restore takes about 4-5 days. Plan accordingly — keep your most critical data on faster storage or maintain a recent local copy.

Not documenting the restore process: When you need your backups, you're probably stressed. Write down exactly how to restore, including which repo, which password, which commands. Store this documentation both digitally (in the backup) and physically (printed).

The 3-2-1 rule isn't complicated, and with modern tools like restic and rclone, implementing it takes an afternoon. The hard part is making it automatic and testing it regularly. Set it up, automate it, verify it quarterly, and then forget about it. That's the goal — backups that protect you without requiring your attention.