Appearance
The 3-2-1 rule for archives means keeping at least three copies of every digital object, stored on two different media or systems, with one copy kept offsite or offline. Applied properly, no single event — a failed drive, a flood, a ransomware attack, or a deleted cloud account — can take out all your copies at once. It is the cheapest, most reliable foundation of bit-level preservation, but it only protects the bits; you still need fixity checks and format monitoring on top.
Why three copies, two media, one offsite?
Each number neutralises a different failure mode. Three copies cover the statistical reality that storage fails; with two copies a simultaneous loss is plausible, with three it is vanishingly unlikely. Two media types stop a correlated failure — a firmware bug or a bad batch of identical drives wiping every copy at once. One offsite copy survives the fire, flood or theft that destroys your building. Strengthen the rule by making the offsite copy offline too, which is the only reliable defence against ransomware that encrypts everything it can reach.
How do I map 3-2-1 onto a real archive?
A worked layout for a 2 TB collection:
| Copy | Location | Medium | Role |
|---|---|---|---|
| 1 | Office NAS | Spinning disk (RAID) | Working copy, daily access |
| 2 | External drive, locked drawer | USB HDD | Local secondary, rotated weekly |
| 3 | Cloud object store (S3 / B2) | Cloud (different system) | Offsite, versioned |
Note that RAID is not a backup — it is one copy that tolerates a disk failure. Counting your RAID array as two copies is the most common 3-2-1 mistake.
Building the workflow with rsync and rclone
Keep the copies in sync with checksummed transfers, never a drag-and-drop. A nightly local mirror and a daily cloud push:
bash
# Local copy to rotated external drive, preserving timestamps,
# with checksum comparison rather than size+mtime
rsync -avh --checksum /srv/archive/ /mnt/backup-drive/archive/
# Offsite copy to a versioned, immutable cloud bucket
rclone sync /srv/archive/ b2:my-archive-cold \
--checksum --transfers 8 --b2-versionsEnable object versioning (or object lock / immutability) on the cloud copy so a bad sync cannot silently delete the offsite version.
How often should I verify the copies?
A copy you never check is a copy you cannot trust. Schedule fixity runs against a stored manifest, and crucially, test a restore. Pull a random object from the cloud copy each quarter and confirm it matches the original checksum:
bash
sha256sum -c manifest-sha256.txt # verify against the stored manifestUntested backups fail at the worst moment; an annual full-restore drill is non-negotiable.
What 3-2-1 does not protect against
The rule guards bits, not meaning. It will faithfully replicate a corrupted file, a wrong format, or content your designated community can no longer read. Pair it with: fixity checking to catch silent corruption before it propagates to every copy, format risk monitoring, and preservation metadata recording when and how each copy was made. A backup with no provenance trail is hard to defend in an audit.
A starter plan for under a terabyte
Buy two external drives. Keep one connected and synced nightly, store the other offsite and swap them monthly. Add one cloud cold-storage bucket with versioning. Write a one-page schedule naming who runs the sync, when fixity is checked, and when the offsite drive rotates. That is full 3-2-1 compliance for well under the cost of a single data-recovery callout.
Key Takeaways
- 3-2-1 = three copies, two media or systems, one offsite (ideally offline).
- RAID is fault tolerance, not a backup — never count it as two copies.
- Use checksummed transfers (
rsync --checksum,rclone --checksum), not drag-and-drop. - Enable versioning or object lock on the offsite copy to survive bad syncs and ransomware.
- Verify copies against a stored manifest quarterly and test a real restore yearly.
- 3-2-1 protects the bits only; layer fixity, format monitoring and metadata on top.
- The whole rule is affordable: two rotated drives plus one cloud bucket suffices for small collections.
Frequently Asked Questions
What does the 3-2-1 backup rule mean for an archive?
Keep at least three copies of every object, on two different storage media or systems, with one copy held offsite or offline, so no single failure or disaster can destroy all copies at once.
Is 3-2-1 the same as digital preservation?
No. 3-2-1 protects the bits against loss, but preservation also requires fixity checking, format monitoring and metadata; backup is one necessary layer, not the whole job.
Does cloud storage count as two of the three copies?
Treat a single cloud provider as one copy on one system, even if the provider replicates internally; provider-level replication does not protect you from account deletion or a billing lapse.
How often should I verify backup copies?
Run fixity checks on every copy at least quarterly for active collections and annually for cold storage, and test a full restore at least once a year.
What is the difference between a backup and an offline copy?
A backup is any additional copy; an offline or air-gapped copy is disconnected from your network so that ransomware or a runaway script cannot reach and overwrite it.
Can I use 3-2-1 with a small budget?
Yes. Two external drives rotated offsite plus one inexpensive cloud bucket meets 3-2-1 for collections under a few terabytes for a modest annual cost.