Every Linux distro comes at least with ntpdate by default, which updates the clock once a day. That should be sufficient, since clocks don't drift more than a second or two in a 24 hour period unless you have a really fucked up hardware clock. Alternatively you could run ntp. I don't see a security threat in allowing these services to update over clearnet. Almost every server has them running so there's nothing out of the ordinary about that. However, you would definitely want to keep the time correct, because as you said, Tor needs an accurate clock to run, but also because clock skew is a known attack on hidden services. In the case of a multiple hidden service setup, the 3 servers would be backups to each other. If LE seized one, the others would continue operating normally, syncing to each other while getting sync errors to the third server. Also, if an intrusion detection system is configured to destroy the data on the seized server, then LE couldn't prove it was part of the hidden service. Users would observe no change, because the other 2 servers would continue publishing their descriptors and users would connect to them. However, you probably want a dedicated backup server anyway. One benefit is that you could put it in stealth mode, like the ssh services described above. So even if someone is crawling the Tor network for hidden service descriptors, they would get an error that the hidden service is down whenever they tried to connect to it (unless they had the cookie/password). They couldn't determine what type of service was running on it, let alone that it was the backup server for hidden service X. As for the backup procedure, there are a variety of backup tools for Linux, but a lot of them are based on rsync. Why not run rsync over ssh? You would have to configure ssh to run over Tor, which can be done with connect-proxy, among other things. So rsync -> ssh -> connect-proxy -> Tor -> backup hidden service. Set an hourly cron job for that. Seems overly complicated for something that should be straight forward, and relies on a third party service that increases the attack surface. I haven't given much thought to that, but yeah, you would probably want to run that on separate hardware.