“It’s backed up.”

That sentence should make you ask one question:

When was the last time you restored it?

Most people do not have an answer.

They have iCloud. Or Google Drive. Or Time Machine. Or an external hard drive. Or a NAS. Or a password manager export. Or a seed phrase in a drawer. Or a vague memory that some app said “sync complete” three years ago.

That is not the same thing as a working backup.

A backup is only real if you can get the data back when the original is gone.

Until then, it is a theory.

The iCloud problem

I have watched two people lose years of family photos to an iPhone passcode they could not remember.

The device kept timing them out. Five minutes. An hour. A day. A week. Then the practical answer became ugly: the photos were either synced somewhere reachable, or they were not.

That is when “I think it’s in iCloud” stops being comforting.

iCloud is useful. So is Google Photos. So is Dropbox. I use cloud tools too.

But cloud sync is not the same as a backup plan.

Sync copies mistakes quickly. Delete the wrong folder and the deletion may sync. Lose access to the Apple ID and the backup is now behind another account recovery process. Forget the recovery key and you are in someone else’s process, not yours.

The question is not “do I use cloud?”

The question is: if the main device disappears today, can I recover the data from somewhere else, with credentials I can actually access?

The 3-2-1 rule is the start, not the finish

The simple backup frame is still useful:

  • Three copies of the data.
  • Two different kinds of storage.
  • One copy offsite.

That is a good baseline because it stops one failure from becoming total loss.

Laptop dies? Local backup.

Apartment floods? Offsite backup.

Cloud account locks? Local encrypted copy.

But the 3-2-1 rule still has a missing verb.

Restore.

NIST’s backup guidance uses the boring but important language: backups should be conducted, maintained, and tested. The “tested” part is where normal people and small teams usually fail.

They buy the drive. They set up the sync. They feel responsible for 20 minutes. Then nobody restores a file until the day the real copy is gone.

That is a bad day to learn the external drive has a broken cable, the backup password is missing, or the folder you cared about was excluded.

What I test

I do not test every file. That would be ridiculous.

I test paths.

Can I restore one photo from the photo backup?

Can I restore one document from the document backup?

Can I open the encrypted archive?

Can I recover the password manager if my laptop is gone?

Can I use the backup hardware key?

Can I restore a wallet with a small test balance on a spare device?

Can the person I trust find the instructions without asking me?

That last one is the part people skip. A backup that only works when I am sitting there explaining it is not a family backup. It is my personal magic trick.

Password managers need restore tests too

A password manager feels like a solved problem until you imagine losing the laptop, phone, and primary hardware key at the same time.

Can you still get in?

Where is the emergency kit?

Where are the recovery codes?

Do you know which email account controls the password manager?

Does that email account require the same device you just lost?

Do you have a second hardware key already enrolled, or did you buy it and leave it in the box?

The FTC’s basic advice is right: two-factor authentication makes accounts much safer, and security keys are the strongest common method. But the recovery path matters too. Strong authentication without recovery planning can become self-lockout.

I like hardware keys. I also like boring notes that say where the backup key is and when it was last tested.

Bitcoin backups are more brutal

Bitcoin makes this lesson cleaner and harsher.

If you lose the recovery path, there may be no company to call.

Seed phrase wrong? Wrong wallet.

Passphrase typo? Different wallet.

Passphrase forgotten? The funded wallet is gone unless you recover the exact phrase.

Wallet app changed? You had better know the derivation path or have enough notes to recreate the setup.

This is why I do not consider a seed phrase backup complete until it has been used in a controlled restore test.

Not with the main stack exposed to unnecessary risk. Not by typing secrets into random websites. A proper restore drill with a spare device or test wallet, small amount, and a written checklist.

The first time you learn recovery should not be during an emergency.

A simple restore drill

Pick one category.

Photos, documents, password manager, important account, or wallet.

Then do the smallest honest restore:

  1. Pretend the main device is gone.
  2. Use the written instructions.
  3. Restore one file, one account, or one test wallet.
  4. Note what was missing.
  5. Fix the note.
  6. Put the next restore test on the calendar.

The important part is not heroics. It is discovering where the instructions lie.

Maybe the backup drive was not plugged in for six months.

Maybe the encrypted archive password was only in the password manager it is supposed to help recover.

Maybe the trusted person can find the binder but not understand which account matters.

Good. Better to find that on a Sunday afternoon than after a death, theft, flood, or locked account.

What counts as done

A backup plan is done when:

  • The data exists in more than one place.
  • At least one copy survives the loss of your home or main device.
  • The backup is encrypted when it should be.
  • The restore process is written down.
  • Someone has tested the restore.
  • The test date is recorded.

That is the bar.

Not “I bought the drive.”

Not “the app says synced.”

Not “I know where the seed phrase is.”

Restored.

That is the only word that matters.

Sources