Contents

Chapter 1

Backup Strategy Guide

Part of: Backup & Disaster Recovery Kit by Datanest Digital

A comprehensive guide to designing, implementing, and maintaining a production backup strategy.


1. The 3-2-1 Rule

The foundational principle of data protection:

  • 3 copies of your data (1 primary + 2 backups)
  • 2 different storage media types (e.g., local disk + cloud object storage)
  • 1 copy offsite (different geographic region or cloud provider)

Practical Implementation

Primary Data (Production)
  ├── Copy 1: Local backup (same region, different server)
  ├── Copy 2: Cloud object storage (S3, B2, GCS)
  └── Copy 3: Cross-region replica (different cloud region)

Extended Rule: 3-2-1-1-0

Modern best practice extends this to:

  • 1 copy offline or air-gapped (ransomware protection)
  • 0 errors after verification (every backup is tested)

2. Encryption

At Rest

All backups should be encrypted before upload:

bash
# AES-256-CBC with PBKDF2 key derivation
openssl enc -aes-256-cbc -salt -pbkdf2 -iter 100000 \
  -in backup.tar.zst \
  -out backup.tar.zst.enc \
  -pass env:ENCRYPTION_KEY

Key Management Best Practices

PracticeDescription
Never store keys with backupsIf an attacker gets your backups, they shouldn't also get the key
Use a secrets managerAWS KMS, HashiCorp Vault, Azure Key Vault
Rotate keys periodicallyAt minimum annually; re-encrypt old backups with new keys
Document key recoveryEnsure multiple team members can access the decryption key
Test decryption regularlyPart of your monthly restore drill

S3 Server-Side Encryption

In addition to client-side encryption, enable S3-SSE:

bash
# Enable default encryption on the bucket
aws s3api put-bucket-encryption \
  --bucket my-backups \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms",
        "KMSMasterKeyID": "alias/backup-key"
      }
    }]
  }'

3. Cross-Region Replication

Why

A regional outage could affect both your primary data and your backups if they're in the same region.

Setup with S3 Cross-Region Replication

bash
# Enable versioning (required for replication)
aws s3api put-bucket-versioning \
  --bucket my-backups \
  --versioning-configuration Status=Enabled

# Configure replication
aws s3api put-bucket-replication \
  --bucket my-backups \
  --replication-configuration '{
    "Role": "arn:aws:iam::123456789012:role/backup-replication-role",
    "Rules": [{
      "Status": "Enabled",
      "Destination": {
        "Bucket": "arn:aws:s3:::my-backups-eu-west-1",
        "StorageClass": "STANDARD_IA"
      }
    }]
  }'

Multi-Cloud Strategy

For maximum resilience, replicate to a different cloud provider:

bash
# Use rclone to sync S3 to Backblaze B2
rclone sync s3:my-backups b2:my-backups-b2 \
  --transfers=8 \
  --checkers=16 \
  --filter="+ *.dump.*" \
  --filter="+ *.tar.*" \
  --filter="- *"

4. Backup Testing

Why Test?

An untested backup is not a backup. Common failure modes:

  • Backup file is corrupted (bitrot, interrupted upload)
  • Backup is encrypted but the key is lost
  • Backup format is incompatible with the current version
  • Backup doesn't include all necessary data (missing schemas, configs)

Testing Pyramid

                 ┌─────────────────┐
                 │  Full DR Drill   │  Quarterly
                 │  (end-to-end)   │
                 ├─────────────────┤
                 │ Restore Drill    │  Monthly
                 │ (single system) │
                 ├─────────────────┤
                 │ Integrity Check  │  Weekly
                 │ (checksum + list)│
                 ├─────────────────┤
                 │ Existence Check  │  Daily
                 │ (file exists,   │
                 │  size > 0)      │
                 └─────────────────┘

Automated Testing

bash
# Run this on a schedule (weekly recommended)
./scripts/verify-backups.sh \
  --bucket s3://my-backups \
  --all \
  --test-restore \
  --report /var/log/backups/weekly-verification.json

5. Compliance Considerations

GDPR

  • Backups containing personal data must be encrypted
  • You must be able to delete personal data from backups (right to erasure)
  • Backup retention should align with your data retention policy
  • Document where backups are stored (data processing records)

SOC 2

  • Backup procedures must be documented
  • Access to backups must be logged and audited
  • Backups must be tested regularly (with evidence)
  • Encryption is required for data at rest and in transit

HIPAA

  • All backups containing PHI must be encrypted (AES-256 minimum)
  • Access controls must limit who can read/restore backups
  • Audit logs must track all backup operations
  • Business Associate Agreements (BAAs) required with cloud providers

PCI DSS

  • Cardholder data in backups must be encrypted
  • Backup media must be physically secured
  • Backup logs must be reviewed regularly
  • Test restores must be performed periodically

Implementation Checklist

  • [ ] Enable encryption on all backup storage
  • [ ] Enable object lock / WORM for compliance buckets
  • [ ] Restrict backup access with IAM policies
  • [ ] Enable CloudTrail / audit logging for backup operations
  • [ ] Document backup procedures and retention policies
  • [ ] Schedule and document regular restore tests
  • [ ] Configure alerts for backup failures

6. Cost Optimization

Storage Class Selection

AgeStorage ClassCost (per GB/month)Retrieval Time
0-30 daysStandard / Standard-IA$0.023 / $0.0125Immediate
30-90 daysS3 Infrequent Access$0.0125Immediate
90-365 daysGlacier Instant Retrieval$0.004Milliseconds
1-5 yearsGlacier Flexible$0.00361-12 hours
5+ yearsGlacier Deep Archive$0.0009912-48 hours

Cost-Saving Tips

1. Compress before upload: zstd typically achieves 3-5x compression on database dumps

2. Use lifecycle policies: Automatically transition old backups to cheaper storage

3. Deduplicate: Use incremental backups (rsync --link-dest) to avoid storing duplicate data

4. Monitor backup sizes: Unexpected growth may indicate issues

5. Clean up old backups: Enforce retention policies to avoid indefinite growth


7. Quick Reference

Backup Commands

bash
# PostgreSQL
./scripts/backup-postgres.sh --host db.prod --database myapp --bucket s3://backups/pg --encrypt

# MySQL
./scripts/backup-mysql.sh --host db.prod --database myapp --bucket s3://backups/mysql --encrypt

# Filesystem
./scripts/backup-filesystem.sh --source /data --destination s3://backups/files --encrypt

# Docker volumes
./scripts/backup-docker-volumes.sh --all --bucket s3://backups/volumes

Restore Commands

bash
# PostgreSQL
./scripts/restore-postgres.sh --host db.new --database myapp --bucket s3://backups/pg --decrypt --create-db

# Filesystem
./scripts/restore-filesystem.sh --source s3://backups/files --destination /data --decrypt

Verify Commands

bash
# Verify all backups
./scripts/verify-backups.sh --bucket s3://backups --all --test-restore --report report.json
Chapter 2

Backup & Disaster Recovery Kit

Battle-tested backup scripts and disaster recovery runbooks for production infrastructure.

![License: MIT](LICENSE)

![Shell]()

![Docker]()

Automate your backups, verify their integrity, and recover in minutes -- not hours.


Chapter 3
🔒 Available in full product

What You Get

You’ve reached the end of the free preview

Get the full Backup Disaster Recovery and unlock everything.

All Chapters

Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.

Full Tool Suite

Access all interactive tools with complete data, all workload profiles, and the full scenario library.

Source Files

Downloadable source code, configuration files, and working examples from every chapter.

Lifetime Updates

Free updates for life. Every new chapter, tool, and improvement included.

Buy Now — $39 →
📦 Free sample included — download another copy for the full product.
Backup Disaster Recovery v1.0.0 — Free Preview