Mirror Mirror | Your data, your systems, your sovereignty.
Cycle: Capture >> Organize >> Protect >> Ship
The 3-2-1 Rule -- Non-Negotiable
If your data exists in only one place, it does not exist. The 3-2-1 rule is the minimum standard for sovereignty over your files.
| Principle |
Meaning |
Your Implementation |
| 3 copies |
Three total copies of any irreplaceable data |
Primary + local backup + cloud |
| 2 media types |
At least two different physical storage types |
Internal SSD + external drive + cloud |
| 1 offsite |
At least one copy in a different physical location |
Cloud storage or off-site drive |
Recommended Tool Stack
Tier 1: Local Backup (Your Primary Mirror)
- macOS: Time Machine to a dedicated external drive (2TB+ recommended)
- Windows: File History + weekly full image via Macrium Reflect (free)
- Linux: rsync scheduled via cron or Timeshift for system snapshots
Tier 2: External / NAS Backup
- Hardware: Synology DS224+ or DS423 (2-bay or 4-bay NAS)
- Drive config: RAID 1 (mirrored) minimum -- two drives that mirror each other
- Sync tool: Synology Drive or rsync over local network
- Why NAS over a USB drive: Always on, automated, versioned, accessible from any device on your network
Tier 3: Cloud / Offsite Backup
- Backblaze B2: $6/mo unlimited. Set it and forget it. Best price-to-protection ratio.
- Arq Backup + B2 or Wasabi: Encrypted, scheduled, you control the keys. Sovereignty-first option.
- iCloud / Google Drive / Dropbox: Acceptable for sync, but not a true backup unless paired with versioning. You do not control the encryption keys.
- Proton Drive: End-to-end encrypted, privacy-first. Good for sensitive documents.
Encryption (Protect Layer)
- Cryptomator: Free, open-source. Creates encrypted vaults inside any cloud folder. You hold the key.
- VeraCrypt: Full-volume encryption for external drives. Heavyweight but bulletproof.
- Rule: If it leaves your local network, it gets encrypted. No exceptions.
Weekly Backup Checklist (Every Sunday, 10 Minutes)
- [ ] Verify Time Machine / local backup ran this week -- Check last backup timestamp
- [ ] Sync working files to NAS -- Confirm Synology Drive or rsync completed
- [ ] Confirm cloud backup status -- Open Backblaze/Arq dashboard, check last successful backup
- [ ] Spot-check one file -- Pick a random file from this week. Open it from your backup. Does it match? This is your restore test.
- [ ] Clear /00_Inbox -- Files in Inbox are not backed up by project. Sort them or lose them.
- [ ] Check storage capacity -- Flag if any drive is above 80% full
Monthly Backup Audit (First Sunday of the Month, 20 Minutes)
- [ ] Full restore test -- Pick a project folder from last month. Restore it from your cloud backup to a temp directory. Verify all files are intact and openable.
- [ ] Review backup logs -- Check for any failed or skipped backups in the last 30 days
- [ ] Update backup exclusions -- Add new cache folders, node_modules, .tmp directories to your exclusion list
- [ ] Verify encryption -- Confirm Cryptomator vaults are locked when not in use. Confirm VeraCrypt volumes auto-dismount.
- [ ] Check drive health -- Run SMART diagnostics on external drives (DriveDx on Mac, CrystalDiskInfo on Windows)
- [ ] Rotate offsite drive (if using physical offsite) -- Swap the drive you keep off-premises
Quarterly Backup Review (15 Minutes)
- [ ] Audit what is being backed up -- New projects, new folders, new devices added to your ecosystem? Are they all covered?
- [ ] Test disaster recovery -- Simulate losing your primary machine. Can you access everything you need from backup alone within 2 hours?
- [ ] Review cloud costs -- Is your storage bill reasonable? Are you paying for capacity you do not use?
- [ ] Update this checklist -- Add any new tools or drives to the tool stack above
- [ ] Verify credential backup -- Is your password manager database backed up independently? (See access-tiers.md)
Disaster Recovery Protocol
Scenario: Primary machine is destroyed, stolen, or fails.
Hour 1: Triage
- Breathe. Your data is in three places. You are sovereign.
- Access cloud backup from any browser (Backblaze, Arq, etc.)
- Identify what you need immediately (active projects, credentials)
- Download critical files to a temporary machine or device
Hour 2-4: Restore Active Work
- Connect NAS (if still available) and restore /01_Active and /02_Projects
- If NAS is also gone, restore from cloud -- start with /01_Active
- Restore password manager vault (from its own backup)
- Re-authenticate critical services
Day 1-3: Full Rebuild
- Set up new machine with your base configuration
- Restore full file structure from most recent complete backup
- Reinstall applications (keep a list in /06_Systems/sops/)
- Verify all automations and syncs are reconnected
- Run a full backup of the restored system immediately
Post-Recovery
- Document what worked and what did not
- Update your recovery procedure based on lessons learned
- Replace any failed hardware
- Verify 3-2-1 is fully re-established before resuming normal work
Backup Tiers by File Type
| File Type |
Backup Priority |
Minimum Copies |
Notes |
| Client deliverables |
Critical |
3+ |
Loss = liability |
| Contracts / licenses |
Critical |
3+ encrypted |
Legal exposure |
| Active project files |
High |
3 |
Revenue at risk |
| Raw media (photo/video/audio) |
High |
3 |
Irreplaceable |
| Financial records |
High |
3 encrypted |
Tax/legal requirement |
| Templates / SOPs |
Medium |
2 |
Recreatable but costly |
| Application configs |
Medium |
2 |
Time-consuming to rebuild |
| Cache / temp files |
None |
0 |
Exclude from all backups |
What NOT to Back Up
Exclude these from all backup jobs to save space and speed:
node_modules/
.cache/
*.tmp
.DS_Store
Thumbs.db
__pycache__/
*.log (application logs, not decision logs)
Downloads/ (unless you treat it as Inbox)
Mirror Mirror Data Sovereignty Course | Template 3 of 9
Your data, your systems, your sovereignty.