Executive Summary

After witnessing countless developers lose everything to sudden account suspensions, this protocol establishes a multi-provider backup strategy that ensures your data survives even if a vendor decides you no longer exist.

The Three-Two-One-Zero Rule

Traditional backup follows the 3-2-1 rule:

3 copies of important data

copies of important data 2 different storage media types

different storage media types 1 offsite backup

We’re adding:

0 trust in any single provider

Implementation

Phase 1: Inventory Your Data

First, identify what needs protection:

# Create a data inventory cat > ~/.backup-manifest.yaml << 'EOF' critical: - path: ~/projects size: 50GB type: code - path: ~/documents/contracts size: 5GB type: legal - path: ~/.ssh size: 100MB type: keys - path: ~/.gnupg size: 200MB type: encryption important: - path: ~/archives size: 200GB type: historical EOF

Phase 2: Primary Cloud Backup (Provider A)

Using Restic for encrypted, deduplicated backups:

# Install restic brew install restic # macOS # or sudo apt install restic # Ubuntu # Initialize S3-compatible backup (works with AWS, Backblaze B2, Wasabi) export RESTIC_REPOSITORY = "s3:s3.amazonaws.com/your-backup-bucket" export AWS_ACCESS_KEY_ID = "your-access-key" export AWS_SECRET_ACCESS_KEY = "your-secret-key" export RESTIC_PASSWORD = "your-strong-password" restic init # Create backup script cat > ~/bin/backup-primary.sh << 'EOF' #!/bin/bash set -euo pipefail RESTIC_REPOSITORY="s3:s3.amazonaws.com/your-backup-bucket" export RESTIC_PASSWORD_FILE="~/.restic-password" # Backup with tags restic backup \ --tag "automated" \ --tag "$(date +%Y-%m-%d)" \ --exclude-file ~/.backup-exclude \ ~/projects \ ~/documents \ ~/.ssh \ ~/.gnupg # Cleanup old snapshots (keep 7 daily, 4 weekly, 12 monthly) restic forget \ --keep-daily 7 \ --keep-weekly 4 \ --keep-monthly 12 \ --prune EOF chmod +x ~/bin/backup-primary.sh

Phase 3: Secondary Cloud Backup (Provider B)

Using Rclone for provider-agnostic sync:

# Install rclone curl https://rclone.org/install.sh | sudo bash # Configure Google Cloud Storage rclone config # Choose: n (new remote) # Name: gcs-backup # Storage: google cloud storage # Follow auth flow # Sync encrypted backup to GCS cat > ~/bin/backup-secondary.sh << 'EOF' #!/bin/bash set -euo pipefail # Encrypt and sync to Google Cloud rclone sync \ ~/projects \ gcs-backup:your-backup-bucket/projects \ --crypt-remote gcs-backup:your-backup-bucket \ --crypt-password "$(cat ~/.rclone-password)" \ --progress EOF chmod +x ~/bin/backup-secondary.sh

Phase 4: Local Network Backup

Never underestimate physical control:

# Setup local NAS backup using rsync cat > ~/bin/backup-local.sh << 'EOF' #!/bin/bash set -euo pipefail BACKUP_HOST="nas.local" BACKUP_PATH="/volume1/backups/$(hostname)" # Check if NAS is reachable if ! ping -c 1 -W 2 $BACKUP_HOST > /dev/null 2>&1; then echo "NAS unreachable, skipping local backup" exit 0 fi # Rsync with hard links for deduplication rsync -avP \ --link-dest="$BACKUP_PATH/latest" \ --exclude-from ~/.backup-exclude \ ~/projects \ ~/documents \ $BACKUP_HOST:$BACKUP_PATH/$(date +%Y-%m-%d-%H%M) # Update latest symlink ssh $BACKUP_HOST "ln -sfn $BACKUP_PATH/$(date +%Y-%m-%d-%H%M) $BACKUP_PATH/latest" EOF chmod +x ~/bin/backup-local.sh

Phase 5: Offline Archive

The ultimate insurance - cold storage:

# Quarterly offline backup to external drive cat > ~/bin/backup-offline.sh << 'EOF' #!/bin/bash set -euo pipefail ARCHIVE_DRIVE="/Volumes/OfflineBackup" ARCHIVE_PATH="$ARCHIVE_DRIVE/archives/$(date +%Y-Q%q)" if [ ! -d "$ARCHIVE_DRIVE" ]; then echo "Archive drive not mounted!" exit 1 fi # Create encrypted archive tar -cf - ~/projects ~/documents | \ gpg --symmetric --cipher-algo AES256 | \ split -b 4G - "$ARCHIVE_PATH/backup-" # Generate checksum find "$ARCHIVE_PATH" -name "backup-*" -exec sha256sum {} \; > "$ARCHIVE_PATH/checksums.txt" # Unmount for safety diskutil unmount "$ARCHIVE_DRIVE" echo "Offline archive complete. Store drive in secure location." EOF chmod +x ~/bin/backup-offline.sh

Phase 6: Automation & Monitoring

# Setup cron jobs crontab -e # Add these lines: 0 2 * * * /home/user/bin/backup-primary.sh >> /var/log/backup-primary.log 2>&1 0 4 * * * /home/user/bin/backup-secondary.sh >> /var/log/backup-secondary.log 2>&1 0 6 * * * /home/user/bin/backup-local.sh >> /var/log/backup-local.log 2>&1 0 0 1 * /3 * /home/user/bin/backup-offline.sh # Quarterly # Monitor backup health cat > ~/bin/backup-monitor.sh << 'EOF' #!/bin/bash # Check last backup times echo "=== Backup Status ===" echo "Primary: $(restic snapshots --latest 1 --json | jq -r '.[0].time')" echo "Secondary: $(rclone lsl gcs-backup: | head -1 | awk '{print $2, $3}')" echo "Local: $(ssh nas.local "ls -la /volume1/backups/$(hostname)/latest" | awk '{print $6, $7, $8}')" # Alert if backup is older than 48 hours # Add your alerting logic here (email, Slack, etc.) EOF chmod +x ~/bin/backup-monitor.sh

Recovery Testing

CRITICAL: A backup you’ve never restored is just wishful thinking.

Monthly Recovery Drill

# Test restore from each provider mkdir ~/restore-test # Test primary (Restic/S3) restic restore latest --target ~/restore-test/primary --include ~/projects/important-file.txt # Test secondary (Rclone/GCS) rclone copy gcs-backup:your-backup-bucket/projects/important-file.txt ~/restore-test/secondary # Test local (Rsync/NAS) rsync -av nas.local:/volume1/backups/ $( hostname ) /latest/projects/important-file.txt ~/restore-test/local # Verify all match sha256sum ~/restore-test/ * /important-file.txt

Cost Optimization

Monthly costs for 1TB backed up:

AWS S3 Glacier: ~$4

Backblaze B2: ~$5

Google Cloud Archive: ~$3

Local NAS: One-time hardware cost

Total: ~$12/month for peace of mind

Red Flags to Watch

If you see these, execute immediate backup:

“Please verify your account within X days”

Sudden API rate limiting

Support tickets taking longer than usual

Mass exodus from the provider on social media

Acquisition announcements

The Nuclear Option

If a provider locks you out:

# Emergency recovery from other providers ./emergency-restore.sh --source secondary --target ~/emergency-recovery ./emergency-restore.sh --source local --target ~/emergency-recovery # Immediately replicate to new provider rclone copy ~/emergency-recovery newprovider:emergency-backup

Remember

“The cloud is just someone else’s computer. And that someone can decide you don’t exist.”

Your data’s survival depends on your paranoia level. Adjust accordingly.