2021-02-03

Local backup for professionals and organizations

My previous post talked about backup in general and cloud backup in particular.  I promised that my next post would finish by covering local backup.  Here it is.

First, the "why".  Recall that my previous post recommended you start by backing up your data files to the cloud.  Assuming that you're doing this, why would you also want to back up locally, that is to an external drive of some kind in the same room or building as your computer?

There are several excellent reasons:

  1. You need a second backup because one is not enough.  As mentioned in my previous post, a key tenet of information security is defense in depth. When applied to backup, this means having at least two backups of your data, in case something goes wrong with one of them.  You should start with a cloud backup, so you second backup should be a local backup.
  2. With a local backup you have the flexibility to set your own retention policy.  Your cloud backup may keep deleted files and old file versions for, say, only six months or a year, but with a local backup you can easily keep them for several years or even forever if you have a large enough external drive.
  3. Your local backup could be an external drive sitting by your desk, but you have other options too.  You could use a small portable drive or a flash drive and store it most of the time in your fire safe, or you could have two drives and swap them weekly or monthly between being attached to your computer and being in the fire safe, hidden in your home, or in a safety deposit box.  The sky's the limit on the possibilities.
  4. A very secure cloud backup is at least $100 a month -- every month, forever -- but a nice external drive can be purchased for $200 and will last for many years.  You can't dispense entirely with the cloud backup, but if you're price conscious you can use a less expensive (and less secure) cloud backup if you also have a local backup that you take care of well.
  5. If you need to restore a lot of data from your backup – perhaps your entire computer's worth – a local restore will likely be a lot faster than a cloud restore.  And a large cloud restore might use up enough of your monthly ISP data budget to cost you money, whereas a local restore is always going to be free.
  6. Finally, backing up locally offers a type of backup that is usually not done for a cloud backup: a system image backup.  A data backup, or files backup, includes just a user's files, but a system image backup is a backup of a computer's entire main drive, including the user's files, application software and settings, and the operating system.  Due to its size, it's usually not practical to transfer a system image backup to the cloud – but it's very easy to store it on a local drive.  Having a system image backup is not essential, but it's a much faster way to recover from a major computer failure.  Without a system image backup, recovery means reinstalling the OS and all applications, configuring (including hardening) the OS, configuring all applications, and restoring the user's data; whereas with a system image backup, it's a single restore operation that does everything in one step.

Encryption

In my previous post I listed three backup-specific requirements: sufficient confidentiality, sufficiently long retention, and support for point-in-time restore.  These of course apply to local backups too, and you may want to reread that part of my previous post before continuing on here.  Local backup software typically provides sufficient retention and a point-in-time restore, but confidentiality needs more discussion.

For a local backup, confidentiality means encrypting the external drive, and this can be done by the backup software and/or the operating system.  All backup software provides encryption, but encryption in the backup software that comes with many backup drives may not be sufficiently well implemented and secure.  If your computer's OS has the ability to encrypt external drives, use it; in this case you don't need to use the encryption feature of the backup software.  

If your OS can't encrypt external drives, you're probably on Windows 10 Home, in which case your computer's main drive is not encrypted either.  This is a bad situation and you should upgrade to Windows 10 Pro, which will give you the BitLocker feature.  BitLocker gives you the ability to encrypt not only your computer's main drive but also any external drive, such as the one you're going to use for backup.  

If for some reason you decide not to use the OS to encrypt your backup drive, you have four choices:

  1. don't encrypt the backup drive – not a good idea unless the data is not sensitive
  2. use the encryption built into the backup software that came with your backup drive – easy but not recommended, as discussed above
  3. use the encryption built into third-party backup software – a good choice, see below
  4. use quality third-party encryption software like VeraCrypt to encrypt the backup drive – a great choice

Whether you're using the OS, third-party software, or your backup software to encrypt the drive, make sure you store the encryption password in your password manager

Backup software

What backup software to use?  Let's talk about data backup first.  You can use the backup feature built into your computer's OS or you can use third-party software.  Here are some good choices:

  • Windows 10 File History – Don't use the older "Backup and Restore (Windows 7)" feature
  • macOS Time Machine – If you have a Mac
  • CrashPlan – It's a (great) cloud backup service, but it also allows backup up to a local drive.
  • Macrium Reflect Home Edition – It's primarily (great) system image backup software, but it also supports backing up just data files.
  • SyncBackSE – It's pure backup software that works very nicely.  You need the SE version (not the Free version) in order to get the critical Versioning feature.

CrashPlan, Reflect, and SyncBackSE will all do a good job of encrypting your backup, if you so configure them.

You could also use the backup software, if any, that comes with your external drive to perform your backup.  It's generally best, though, as discussed above, if you don't use the software's encryption capabilities.

For system image backup, here are some good choices:

  • On Windows, there is no good system image backup feature built in. (Don't use "Backup and Restore (Windows 7)": it's old and crotchety and even Microsoft recommends using third-party system image backup software instead.  Definitely don't try it if you use BitLocker.)
  • macOS Time Machine – If you have a Mac
  • Macrium Reflect Home Edition – Very nice software that supports BitLocker well
  • Acronis True Image – People seem to like it, but I recommend you stay away from it if you use BitLocker.

Backup drives

Finally, we get to the bottom level of the stack: the backup drive hardware.  You have many choices, including desktop backup drives, portable backup drives, and flash drives.  Desktop and portable drives used to always be hard disk drives (HDDs) but solid-state drives (SSDs) are now starting to appear at reasonable prices.  Flash drives, which are essentially small and slow SSDs, are now available for reasonable prices up to 512 GB, and would be useful if you want to hide your backup drive.

You should obviously buy a drive that has an interface that your computer supports.  USB is the most common, but pay attention to the physical connector and the USB version number.

Speed is not that important for a backup drive but size does matter.  You can never have enough backup storage, and right now the sweet spot seems to be about 8 TB for HDDs, which are currently the best choice for most people.

WD (Western Digital) and Seagate are respected brand names in HDDs.

Parting words

As mentioned above you absolutely should have more than one backup because things always go wrong.  My last post suggested that you add backups in this order: (1) a cloud backup, (2) a local backup, (3) a second cloud backup, and (4) a second local backup.  How far down the list you go depends on how important your data is and how paranoid you are.

A final recommendation: make sure you occasionally do a test restore of all your backups, both local and cloud.  Otherwise you might discover – just when you need it the most -- that your fail-safe has failed and can't be restored from.