Faced with the explosion of ransomware attacks and growing compliance requirements (GDPR, NIS2, ISO 27001), traditional backup strategies are no longer sufficient. An immutable backup solution combined with ransomware protection through physical isolation (air-gap) has become essential. This article presents the current state of the art in backups for Proxmox VE infrastructure, detailing the key concepts every IT manager needs to master.

Ransomware attack propagation diagram: the compromised admin workstation infects production servers and local backups, but the Nimbus Backup server with external infrastructure and separate admin remains intact — Ransomware propagation: external infrastructure and separate admin block the attack

The ransomware threat: why your backups are targeted

Cybercriminals have evolved. Aware that backups represent the last line of defense for businesses, they now prioritize targeting backup systems before encrypting production data. According to the Veeam Ransomware Trends 2024 report, 93% of ransomware attacks explicitly target backups.

A backup accessible from the production network is no longer a backup: it's a target.

This reality requires a fundamental rethinking of backup architecture, integrating principles of physical and logical isolation that we detail below.

The 3-2-1-1-0 rule: evolution of the industry standard

The 3-2-1 rule, popularized by photographer Peter Krogh, recommended keeping 3 copies of your data, on 2 different types of media, with 1 stored offsite. This rule, while still relevant, has been extended to address current threats.

The 3-2-1-1-0 rule explained:

3copies of your data (production + 2 backups)
2different media types (disk + tape or cloud)
1offsite copy (geographically separated)
1air-gapped or immutable copy (inaccessible to attackers)
0errors after verification (regular restore tests)

This evolution, recommended notably by CISA (Cybersecurity and Infrastructure Security Agency) andENISA, adds two critical requirements: isolation (air-gap) and systematic verification.

Air-Gapped backup: physical isolation as the ultimate protection

An "air-gapped" backup is a backup that is physically disconnected from the network. This disconnection can be permanent (LTO tapes stored offsite) or temporary (connection only during the backup window).

Air-gapped backup explained: definition, why it's crucial, and 4 implementation methods (LTO tapes, rotational storage, isolated network, sovereign cloud) — The 4 air-gapped backup implementation methods

Common air-gap implementations:

LTO Magnetic Tapes

LTO (Linear Tape-Open) tapes offer a natural air-gap once ejected from the drive. Stored in a fireproof safe, they are completely inaccessible to network attackers.

Rotational disconnected storage

Removable disk system exchanged regularly, with one copy always offline in a separate secure location.

Dedicated isolated network

Backup infrastructure on a physically separate network, with controlled and temporary connection via network diode or unidirectional firewall.

Dedicated sovereign cloud

Offsite backup to a trusted provider with separate strong authentication and no direct connection from the production network.

Important note: A backup on NAS or SAN accessible via the network, even with different credentials, is NOT air-gapped. An attacker who has compromised your Active Directory or management systems can often reach these systems.

Immutability: tamper-proof backups

Immutability guarantees that a backup cannot be modified or deleted for a defined period, even by an administrator with full privileges. It is a logical protection complementary to physical isolation.

Immutability technologies for Proxmox:

Proxmox Backup Server (PBS) with protected datastore

PBS allows configuring datastores in append-only mode or with locked retention policies. Combined with a file system like ZFS, it provides robust protection.

PBS Documentation

S3 Object Lock (WORM)

S3-compatible storage with Object Lock allows defining legal or governance retention periods during which objects are immutable. Compliant with SEC 17a-4 requirements.

S3 Object Lock Documentation

LTO Tapes with WORM

LTO tapes in WORM (Write Once Read Many) mode offer hardware immutability: once written, data physically cannot be modified.

Proxmox Backup Server: the optimized native solution

Proxmox Backup Server (PBS) is the backup solution developed by Proxmox for its hypervisors. It offers significant advantages for Proxmox VE environments:

Block-level deduplication: up to 90% storage space reduction
Client-side encryption: data is encrypted before transmission (AES-256-GCM)
Integrity verification: automatic data corruption detection
Granular restore: recover individual files without restoring the entire VM
Datastore synchronization: replication to a remote site for DR

Technical reference: For a detailed implementation of PBS in an enterprise context, consult the official Proxmox Backup Server documentation.

Regulatory compliance: GDPR, NIS2 and ISO 27001

European regulations impose strict requirements for data protection, explicitly including backups:

GDPR (Article 32)

Requires "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident". Backups must also comply with data subject rights (notably the right to erasure).

NIS2 Directive (2024)

Strengthens cybersecurity obligations for essential and important entities, including risk management measures explicitly covering "business continuity, such as backup management".

ISO 27001 (Annex A.12.3)

Control A.12.3.1 requires "backup copies of information, software and system images made and tested regularly in accordance with an agreed backup policy".

A compliant backup strategy must therefore integrate: encryption, documented restore tests, data location within the EU, and deletion procedures compatible with the right to erasure.

Want to migrate to Proxmox to benefit from these protections?

Discover our complete guide to leaving VMware and migrating to Proxmox VE, with personalized support from our experts.

Read: Leaving VMware — why and how

RDEM Systems: your backup partner meeting industry standards

At RDEM Systems, we position ourselves as a secure, reliable backup provider meeting the best market standards. Our NimbusBackup offering natively implements the principles detailed in this article:

Air-gapped backup

Our Drive Bank PBS and BankS3 plans include monthly or weekly transfer to a physically isolated vault (LTO tapes stored offsite).

LTO tape archiving

LTO magnetic tapes offer natural protection: once stored offsite, they are inaccessible to attackers and ransomware.

European hosting, French on request

Multi-datacenter infrastructure in Europe, with 100% French hosting options on our own BGP network (AS206014). GDPR compliance guaranteed. Need to host your Proxmox VMs? Discover our 3-2-1 multi-datacenter backup strategy.

End-to-end encryption

Your data is encrypted client-side (AES-256) before transmission. We never have access to your data in clear text.

All our offsite Proxmox backup plans implement these principles. Also check our pricing guide to choose the right plan for your budget. And for complete infrastructure protection, RDEM Systems also offers DRP/BCP facilitated by managed services.

Request a custom quote View PBS plans

Sources and references

Protect your Proxmox VMs with NimbusBackup

Offsite, immutable and sovereign backup. Starting at 12 EUR/TB/month.

Discover our plans AirGapped Drive PBS Plan →NIS2, PCI-DSS, ISO 27001 Compliance →

State of the Art in Proxmox Backups: Air-Gapped, Immutability and the 3-2-1-1-0 Rule