The key is to set things up once so as to hardly need to think about them again.
My iMac automatically backs up to a Time Capsule every hour. I hardly notice this happening (but I do know that it is happening).
Every ten days it reminds me to backup to an external HD that I keep hidden the rest of the time. When it does that I go get the HD, plug it in, and start the backup.
Finally, I have a contract with an online backup provider. This backup also happens automatically. I forget how often, but I get regular reports that it does.
All of these backups are encrypted. All of my computing devices need a password (or thumbprint, or face id) to log in.
I have only once needed to restore a whole machine from backup (which worked). I have more often had reason to go delving into the Time Machine backups to retrieve old versions of current files.
I have various other computing devices with their own backup provisions. In some cases that is none, by choice, because they are not places where “work” happens, i.e. places where I create things that I don’t want to risk losing. My PC, for example, only exists to be able to run VR applications. Pretty much everything on my iPhone exists in the iCloud and therefore on my iMac also.
To address your criteria:
All backups are encrypted.
The only thing that requires an ongoing subscription is the online backup provider, for which I pay $60/year. My backup with them is currently just under 2TB.
I’ve never had a flood come into the house, but all my computer stuff is upstairs anyway. If my house burned down and all that is in it, I’d be reliant on the online provider to get stuff back.
As the Time Capsule is always on and always connected, I guess ransomware would get at that too, but the external drive and the online backups would presumably escape.
I don’t have a solution to this. There are two passwords that I must not ever forget. One is the password to my iMac, and the other is the password to an encrypted file on the iMac (and backed up to a USB stick) containing all my other passwords. I use both of these daily, which keeps them in my memory, but I know that any password I don’t use for a few months is likely to drop out. Writing them down is vulnerable to forgetting where I wrote them, and to the house burning down, and to theft.
Maybe these is a more convenient way to implement this, but a primitive solution is to use a password manager, create multiple files containing the same master password, each of those files encrypted by one of the alternative passwords.
Safety deposit boxes are one solution to this problem: write the password down on a piece of paper and pass the job of identity verification off to the bank. This solution can also serve as an alternative to backing things up online: keep one external drive in the bank and one at home, swapping them with enough regularity that you avoid total losses.
This approach does have some downsides:
-Relies on your bank’s identity verification methods.
-Not accessible remotely (this is the primary reason it is safe).
-Requires you to physically go to a bank to make use of it (can be a large enough trivial inconvenience to prevent regularly swapping the external drives)
It also has pros:
-Can set up access for next of kin without giving them current access.
-Immune to the sorts of attacks that scale.
-Gives you physical access to something that won’t burn down in a house fire.
I wrote down my master password in multiple public places. No one can connect them to me but I can retrieve them when I want. (If I was targeted by a sophisticated enough adversary they could’ve been tailing me when I went to write/hide them.)
The key is to set things up once so as to hardly need to think about them again.
My iMac automatically backs up to a Time Capsule every hour. I hardly notice this happening (but I do know that it is happening).
Every ten days it reminds me to backup to an external HD that I keep hidden the rest of the time. When it does that I go get the HD, plug it in, and start the backup.
Finally, I have a contract with an online backup provider. This backup also happens automatically. I forget how often, but I get regular reports that it does.
All of these backups are encrypted. All of my computing devices need a password (or thumbprint, or face id) to log in.
I have only once needed to restore a whole machine from backup (which worked). I have more often had reason to go delving into the Time Machine backups to retrieve old versions of current files.
I have various other computing devices with their own backup provisions. In some cases that is none, by choice, because they are not places where “work” happens, i.e. places where I create things that I don’t want to risk losing. My PC, for example, only exists to be able to run VR applications. Pretty much everything on my iPhone exists in the iCloud and therefore on my iMac also.
To address your criteria:
All backups are encrypted.
The only thing that requires an ongoing subscription is the online backup provider, for which I pay $60/year. My backup with them is currently just under 2TB.
I’ve never had a flood come into the house, but all my computer stuff is upstairs anyway. If my house burned down and all that is in it, I’d be reliant on the online provider to get stuff back.
As the Time Capsule is always on and always connected, I guess ransomware would get at that too, but the external drive and the online backups would presumably escape.
I don’t have a solution to this. There are two passwords that I must not ever forget. One is the password to my iMac, and the other is the password to an encrypted file on the iMac (and backed up to a USB stick) containing all my other passwords. I use both of these daily, which keeps them in my memory, but I know that any password I don’t use for a few months is likely to drop out. Writing them down is vulnerable to forgetting where I wrote them, and to the house burning down, and to theft.
The solution to forgetting passwords is to have multiple alternative passphrases that unlock the same critical thing.
Maybe these is a more convenient way to implement this, but a primitive solution is to use a password manager, create multiple files containing the same master password, each of those files encrypted by one of the alternative passwords.
Safety deposit boxes are one solution to this problem: write the password down on a piece of paper and pass the job of identity verification off to the bank. This solution can also serve as an alternative to backing things up online: keep one external drive in the bank and one at home, swapping them with enough regularity that you avoid total losses.
This approach does have some downsides:
-Relies on your bank’s identity verification methods.
-Not accessible remotely (this is the primary reason it is safe).
-Requires you to physically go to a bank to make use of it (can be a large enough trivial inconvenience to prevent regularly swapping the external drives)
It also has pros:
-Can set up access for next of kin without giving them current access.
-Immune to the sorts of attacks that scale.
-Gives you physical access to something that won’t burn down in a house fire.
I wrote down my master password in multiple public places. No one can connect them to me but I can retrieve them when I want. (If I was targeted by a sophisticated enough adversary they could’ve been tailing me when I went to write/hide them.)
Is is passwordy-looking enough that somebody might want to search it through published leaks?
In either case, you should check it on haveibeenpwned.com, though I suspect you do that already.