What Is Air Gapped Backup?
Air gapped backup means storing backup data in a way that is separated from live systems and routine network access. Traditionally, that meant physical disconnection. In modern environments, it can also mean strong logical isolation designed to prevent production-side compromise from reaching backup assets.
An air gapped backup is a backup copy isolated from the production environment so attackers cannot easily reach, encrypt, delete, or tamper with it. The point of an air gapped backup is simple: if normal systems are compromised, at least one clean recovery path should still survive. That is why air-gapped backups are a core topic in ransomware recovery, disaster recovery, and broader cyber resilience planning.
How air gapped backup works
The central idea is not just “having backups.” It is making sure the backup environment sits outside the same blast radius as the systems being protected.
If an attacker gets domain admin, compromises a virtualization platform, or lands on a backup administrator’s workstation, they often try to find and destroy recovery options. A normal online backup repository may be reachable from the same network, managed with the same credentials, or visible to the same orchestration tools. An air gapped approach is intended to break those paths.
Physical isolation
The traditional model is a genuinely offline copy, such as:
- Tape removed from active systems
- External media disconnected after backup
- Storage that is not persistently attached to the network
This is the most literal version of air gapping. If there is no active connection, remote attackers cannot easily reach it.
Logical isolation
Modern organizations often use logical air gaps rather than purely physical ones. That may involve:
- Separate backup accounts and administrative domains
- Isolated networks with tightly controlled access
- One-way data movement or restricted replication paths
- Backup storage not mounted or exposed to production systems
- Time-limited access windows
- Strong MFA and approval workflows for deletion or recovery actions
This is still air gapping in practice if compromise of production does not automatically grant access to backup systems.
Recovery-focused design
A true air gapped backup design is built around one question: Can an attacker in production reach and destroy the backup?
To answer “no,” organizations usually add controls such as:
- Separate credentials for backup administration
- Role separation between production admins and backup admins
- Immutable retention or deletion protection
- Monitoring on backup access and recovery actions
- Regular restore testing
- Protected copies stored offsite or in a separate platform
Without these controls, a backup may exist but still be vulnerable to the same incident that affects production.
Why air gapped backups matter
Air gapped backups matter most in destructive incidents, especially ransomware. Attackers increasingly target backup infrastructure before encrypting production systems because they know recovery is what lets a victim refuse extortion or restore quickly.
A common failure pattern looks like this:
- Production systems are compromised
- The attacker gains privileged access
- Backup consoles, repositories, or snapshots are discovered
- Backups are deleted, encrypted, or retention is altered
- Recovery becomes slow, partial, or impossible
Air gapping is meant to disrupt that sequence.
It is also valuable for:
- Insider threats
- Accidental deletion
- Administrative mistakes
- Supply chain compromise affecting management tools
- Regulatory or resilience requirements
If you are comparing isolation with immutability, see what is an immutable log.
Common examples of air gapped backup
Air-gapped backup designs vary by budget, platform, and risk tolerance. Common examples include:
- Backup tapes exported and stored offline
- Cloud backup copies placed in locked object storage with deletion protection
- Recovery vaults managed through separate credentials and approval workflows
- Backup repositories accessible only during narrow synchronization windows
- Replicated backup data sent to a segregated environment with no routine admin overlap
The technical details differ, but the principle stays the same: the recovery copy should not be easy to reach from the production environment.
What makes a backup truly air gapped
Not every “separate backup” is truly air gapped. In practice, the backup needs meaningful separation in areas such as:
Administrative separation
If the same admin account can manage both production and backup systems, the backup may still be within the same blast radius. Separate admin roles and privileged access controls matter.
For organizations tightening credential hygiene around backup administration, a password manager like 1Password can help reduce risky credential sharing and improve separation between privileged environments.
Network separation
If production systems can directly browse, mount, or manage backup storage, attackers may be able to do the same. Network isolation and limited access paths are central to the design.
Deletion resistance
A backup that can be instantly deleted with a single privileged action is fragile. Retention locks, immutability settings, and approval workflows make destructive actions harder.
Recovery testing
A backup is only useful if it restores cleanly. Teams need to verify that isolated copies are valid, accessible under emergency procedures, and not silently corrupted or malware-laden.
When you’ll encounter it
You will most often encounter the term air gapped backup in resilience, ransomware, and disaster recovery planning.
During ransomware readiness discussions
If an organization is reviewing how it would recover from widespread encryption or destructive malware, air gapped backups are usually part of the conversation. Security and infrastructure teams want to know whether at least one backup set survives even if the main environment does not.
In backup architecture reviews
When reviewing backup design, teams often distinguish between standard online backups and isolated recovery copies. This is where terms like air gapped, immutable, offline, and offsite often appear together.
In cyber insurance and audit questionnaires
Insurers, auditors, and regulators may ask whether backups are segregated from production and protected against tampering. “We back up to another server on the same domain” is usually not the answer they are looking for.
In business continuity and disaster recovery planning
Air gapped backups are part of broader recovery strategy. The focus is not only backup success, but survivability, restoration speed, and confidence that clean copies exist after a major incident.
For related planning, read what is defense in depth.
In post-incident lessons learned
After ransomware events, one of the first questions is whether the organization still has trusted backups. If the answer is yes, recovery planning looks very different. If the answer is no, the business impact escalates quickly.
What air gapped backup is not
It helps to be precise here.
An air gapped backup is not automatically:
- Any backup stored in the cloud
- Any snapshot
- Any copy on a different server
- Any backup with no current restore job running
If the same credentials, same network path, or same management plane can still alter or destroy the data, the gap may be more apparent than real.
Likewise, air gapping alone does not guarantee recoverability. Backups still need:
- Retention policies
- Integrity checks
- Malware-aware restore procedures
- Recovery documentation
- Routine restore testing
An unreachable backup that cannot be restored correctly is not much of a backup.
Practical backup security tips
Air-gapped backup is one part of backup security, not the whole program. Strong practice usually includes:
- Separate admin accounts for backup infrastructure
- MFA on backup consoles and recovery vaults
- Immutable or locked retention where supported
- Regular restore exercises
- Monitoring for unusual backup deletion or retention changes
- Offline or segregated copies for critical systems
On smaller environments and endpoints where malware risk can threaten local data before central backup jobs run, tools like Malwarebytes may add another defensive layer, though they are not a replacement for isolated backups.
Bottom line
An air gapped backup is a backup kept outside the normal reach of production systems and production-side attackers. Its value is simple but critical: when everything else is compromised, it gives the organization a realistic chance to recover. In ransomware defense, that separation often matters more than the backup job itself.