Offsite Backup Strategies

Offsite Backup Strategies

An offsite backup is a copy stored in a physically separate location from your servers. Without an offsite copy, you are one fire, flood, theft, ransomware infection, or datacenter failure away from losing both your live data and your backups simultaneously. The 3-2-1 backup rule specifically requires one offsite copy. Cloud object storage (S3, Backblaze B2, Wasabi) has made offsite backup affordable and reliable for any size operation.

Why offsite backups are non-negotiable

Scenarios where local-only backup fails:

  Ransomware:
    Malware encrypts all attached storage including NAS backup drives
    → Offsite backup (S3) is unaffected if not mounted at time of infection

  Datacenter fire/flood:
    Physical destruction of primary + local backup storage
    → Offsite backup (different city) survives

  Server compromise:
    Attacker deletes all data including backup directories
    → S3 bucket with versioning enabled recovers deleted objects

  In all these cases: local backup = gone, offsite backup = only recovery option

Cloud backup options

Syncing to S3 with rclone

# rclone supports 40+ cloud storage backends including S3, B2, GCS
sudo apt install -y rclone

# Configure rclone (interactive wizard):
rclone config
# Follow prompts to add S3 or B2 remote, enter credentials

# Sync backup directory to S3 (only transfers changes):
rclone sync /backup/ remote:my-backup-bucket/server1/

# Copy with bandwidth limit (so it doesn't saturate your link):
rclone copy --bwlimit 10M /backup/ remote:my-backup-bucket/server1/

# Sync restic repository to cloud:
rclone sync /mnt/backup/restic-repo/ remote:my-bucket/restic/

# Add to cron to run after local backup completes:
echo "0 4 * * * root rclone sync /backup/ remote:my-bucket/ >> /var/log/rclone.log 2>&1" | sudo tee /etc/cron.d/rclone-offsite

Securing offsite backups

# 1. Encrypt before sending (restic does this automatically)
# For rsync/rclone, encrypt with GPG or use restic:
restic backup --repo s3:s3.amazonaws.com/my-bucket /var/www

# 2. Enable versioning on S3 bucket (protects against accidental deletion):
aws s3api put-bucket-versioning --bucket my-backup-bucket   --versioning-configuration Status=Enabled

# 3. Use immutable backups (object lock) to prevent ransomware deletion:
aws s3api put-object-lock-configuration --bucket my-backup-bucket   --object-lock-configuration 'ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=COMPLIANCE,Days=30}}'

# 4. Restrict S3 IAM permissions to upload-only:
# Create an IAM policy that allows s3:PutObject but not s3:DeleteObject
# Compromise of the server cannot delete offsite backups

Conclusion

For most setups, Backblaze B2 + rclone or restic + S3 is the most cost-effective offsite solution. Enable S3 versioning to protect against accidental deletion, and consider Object Lock for compliance requirements or ransomware protection. The IAM permission restriction is important: the server should have upload-only permissions to the backup bucket. If the server is compromised, the attacker cannot delete your offsite backups. Regularly verify offsite backups are current by checking the timestamp of the most recent uploaded file.