Two distinct pieces of advice: 1) Buy a NAS (I use Synology, my understanding is that they’re all somewhat comparable). Backup from your local devices to that is pretty trivial, and different for different OSs. I put “important” stuff on a shared folder that gets backed up to cloud (Syno supports many different destinations) weekly, and I back up everything to an external HDD every few weeks.
Hyperbackup (Synology’s backup app) does client-side encryption using certificates or long-ish passphrases, so not accessible to the cloud host or anyone who steals my backup drive. Option to encrypt the NAS volumes so they require passphrase or cert on reboot, but I haven’t bothered. It also does versioned file-level backups by default, so I can go back to older versions even if a corrupted/destroyed file has been backed up more recently.
I think that covers 1-4 of your criteria.
2) For #5, use a password manager. I use PasswordSafe, but there are a number of more modern ones that are probably more complete and just as crypotgraphically secure. 20-character truly random strings, different for each site/use/destination, with you only memorizing a single long passphrase. I actually have two safes—one that has my commonly-used PWs that I cloud-sync to all my devices, and one that I only sync at home and never gets to a 3p storage mechanism (except as part of an encrypted backup). So I guess that’s two passphrases to memorize. I do also have a bank safe-deposit box for some documents, and keep a sealed envelope containing these and a few other passphrases written on it there, so my wife or heirs can get access if I’m incapacitated.
Two distinct pieces of advice:
1) Buy a NAS (I use Synology, my understanding is that they’re all somewhat comparable). Backup from your local devices to that is pretty trivial, and different for different OSs. I put “important” stuff on a shared folder that gets backed up to cloud (Syno supports many different destinations) weekly, and I back up everything to an external HDD every few weeks.
Hyperbackup (Synology’s backup app) does client-side encryption using certificates or long-ish passphrases, so not accessible to the cloud host or anyone who steals my backup drive. Option to encrypt the NAS volumes so they require passphrase or cert on reboot, but I haven’t bothered. It also does versioned file-level backups by default, so I can go back to older versions even if a corrupted/destroyed file has been backed up more recently.
I think that covers 1-4 of your criteria.
2) For #5, use a password manager. I use PasswordSafe, but there are a number of more modern ones that are probably more complete and just as crypotgraphically secure. 20-character truly random strings, different for each site/use/destination, with you only memorizing a single long passphrase. I actually have two safes—one that has my commonly-used PWs that I cloud-sync to all my devices, and one that I only sync at home and never gets to a 3p storage mechanism (except as part of an encrypted backup). So I guess that’s two passphrases to memorize. I do also have a bank safe-deposit box for some documents, and keep a sealed envelope containing these and a few other passphrases written on it there, so my wife or heirs can get access if I’m incapacitated.