Pop!_OS 22.04 with btrfs, luks encryption, automatic system snapshots with Timeshift & rollback demo
ฝัง
- เผยแพร่เมื่อ 27 ก.ค. 2024
- All commands and the written guide: mutschler.dev/linux/pop-os-bt...
If you want to support the creation of such videos: buymeacoff.ee/mutschler
----------------------------------------------
In this video we'll install Pop!_OS 22.04 with the following structure:
- an encrypted btrfs partition (with LVM) for the root filesystem
- the btrfs logical volume contains a subvolume `@` for `/` and a subvolume `@home` for `/home`. Note that the Pop!_OS installer does not create btrfs subvolumes by default, so we need to do this manually.
- an encrypted swap partition which works with hibernation
- an unencrypted EFI partition for the systemd bootloader
- an unencrypted partition for the Pop!_OS recovery system
- automatic system snapshots and easy rollback using:
- [timeshift](github.com/teejee2008/timeshift) which will regularly take (almost instant) snapshots of the system
- [timeshift-autosnap-apt](github.com/wmutschl/timeshift...) which creates btrfs snapshot with timeshift on any system update with apt
----------------------------------------------
Contents
00:00 - Intro
00:44 - Boot into live system (I use Ventoy for that)
01:54 - Choose Language, Region and Keyboard Layout
02:08 - Create Partition Layout by simply doing a clean install (without btrfs first)
04:27 - (Optional) Understand default partition layout, i.e. how luks and LVM are used by POP!_OS
10:23 - Do the second and actual Install with BTRFS as the filesystem inside encrypted LUKS partition
13:26 - Why we need post-installation steps when using BTRFS in POP!_OS
15:13 - Unlock luks partition
15:28 - Mount top level root of btrfs partition to /mnt using optimized mount options
18:05 - Create btrfs subvolumes @ and @home and move files into the subvolumes
21:08 - Make changes to fstab
23:24 - Crypttab: see encrypted swap and make discard work
24:01 - Add rootflags to kernelstub
25:08 - Mount EFI partition to add rootflags to systemd bootloader conf files (and optional timeout)
26:26 - Chroot into your system and update the initramfs
29:03 - Reboot
30:45 - Some checks whether everything is set up correctly
31:52 - Enable fstrim timer and check lvm.conf file for issue_discards=1
32:43 - Update and upgrade your system
33:36 - Install and set up timeshift for btrfs
36:52 - Install and set up timeshift-autosnap-apt
40:24 - Some details on automatic timeshift snapshots and where they can be found on the disk
42:29 - Demo how to restore system to a certain snapshot using Timeshift from the Recovery system
47:10 - Outro
----------------------------------------------
IMPORTANT NOTES AND CORRECTIONS
-
If you want to support the creation of such videos: buymeacoff.ee/mutschler - วิทยาศาสตร์และเทคโนโลยี
This was an AMAZING Video! Thankyou!!! I got my system set up - it will TRULY be a time saver! By the way, in your video, you said that we could name cryptdata anything we wanted, but I would recommend not too. On my first attempt, I named my volumn awesomezone, instead of cryptdata, and then it never booted after the final step. I probably left something out somewhere. So I had to redo all steps. For any new people watching this awesome demo, just follow his steps exactly.
I agree, one should stick to cryptdata.
Perfect, it should be the default installtion
Thanks, I am pretty sure System76 will hop on the btrfs train as Fedora did.
Thanks a lot for your awesome guides for Pop!_OS! I just recently discovered the related setup guides on your website while I had already been using Pop!_OS for 1-2 years. I was already using luks encryption and Timeshift but with ext4. Your guide helped me get some confidence to convert my filesystem from ext4 to btrfs and I also started using timeshift-autosnap-apt and I love this setup with the fast snapshots.
Good to hear!
Wonderful tutorial!
Thanks for taking the time to create this.
Thanks for watching :-)
Thank you Willi for this detailed walkthrough 😄
You're welcome!
Amazing guide. Thank you, sir!
I'm gonna try to daily drive Pop!_OS. Hoping for smooth gaming on nVidia GPU and IT work. So far it seems promising.
Thanks for the tutorial. I did it and works great. 😀
Thanks Willi for this amazing video.
I have been able to setup all the things and tested the restore.
Very accurate video. Thanks.
Nice!
Holy moly, if I could, I would "like" this video more than once! thank you for such a nice guide,
Glad it helped.
Thank you so much for this, incredible guide, even for someone as clueless as myself! Only minor issue was the EFI vars mount mentioned by ven in the comments, without which I couldn't get this to work.
Okay thanks for the comment!
Thanks for an amazing guide!
Glad you liked it.
Thanks for this guide !
Sure!
Fantastic guide. Thank you
No problem.
Thank you a lot for your video!!
You're welcome.
Espero que um dia Pop_OS padrão BTRFS ! ♥
Thank you so much
Amazing!
Thanks!
Nice guide! tested in on a laptop and it works beautifully. do you think it is possible to clone the drive to use the install on my main desktop machine?
Thanks for sharing in such detail, this is all very new to me. I've read a few things suggesting accelerated wear on SSD's from huge write amplification (up to 30x). Have you looked at SSD lifespan with btrfs, or optimizations to reduce the write amplification?
Be careful on what you are reading, because those experiences are often very outdated. Typically, SSD is now the standard and there is no problem with any filesystem with the standard flags. But of course your mileage may vary. At least for me I never had any problem.
Hi Wili, thanks for this great video! I don't understand because you use LVM on the ecrypted /dev/sda3, I mean, as BTRFS has all the features of LVM and more, wouldn't it be easier to just put use BTRFS over cryptodev over /dev/sda3 instead of BTRFS over LVM over cryptodev over /dev/sda3?
using pop-os_22.04_amd64_intel_33.iso and a SATA SSD, the Default Clean Install does not configure 4 partitions as mentioned in 04:27 . It configures 3 partitions and forces the /boot to be on ext4 rather than fat32
Actually, if you snapshot more often, you can make more snapshots, use less space, and they will probably be more useful. macOS for example does hourly, then deletes after 24 hours
I did is on a Laptop, an old one..still had an HDD, just wondering if ill be able to clone the whole system on a SSD in the future
How does updating of the OS this look like? For example going from 22.04 to the upcoming 24.04 of Pop OS?
The btrfs partition is quite lengthy. Suggest for manual partition for mbr legacy case btrfs
Sadly the installation fails for me with the error that it can't find the root partition. This is after redoing the installation and manually selecting the partitions. I tried this multiple times, I only got it to work when I created a custom partition with / instead of the inbuilt root one. Somehow that seems to have fixed my problem.
Thanks for the in-depth tutorial!
Same for me. Failed for me too. I am gonna try to format the lvm partition as custom with /
sadly it doesn't work for me :(
Willi thank you so much for this informative video! I am a Linux Noob, Is there any possibility of you doing a video similar to this one demonstrating the use of gparted (for those of us who are not terminal proficent yet) to create BTRFS logical (@) subvolumes and doing all of this without Luks encrypted partion for those of us who do not use encrypt data option on Pop_OS 22.04? I know I and perhaps others would greatly benefit from it. Again thanks, Kindest regards Lynette
I don't think gparted can do btrfs subvolumes, but I might be wrong.
does btrfs treat separate subvolumes like actual separate partitions? will it rewrite data to disk when you move it from one subvolume to another(considering both volumes are inside btrfs filesystem)?
No, btrfs is a copy on write file system. It only writes the changes you do to your data. If you want to copy files (without actually duplicating data), use the reflink flag: btrfs.readthedocs.io/en/latest/Reflink.html
How would you go from this setup to lets say Mint? You could take your @home with you, right? How would that look like?
I added the timeout as you mentioned. But now I want to remove the timeout and /mnt/ is looks empty. so i couldn't find configuration file (loader.conf). How can I remove the timeout from loader.conf on installed system?
I found the solution:
1) sudo -i
2) nano /boot/efi/loader/loader.conf
the file is there
On my laptop I don't know why but the default layout didn't create an encrypted swap. Can I create a separate encrypted /home partition so that I can re-install and keep data intact? Thank You! Pop Btrfs should be vastly improved by now. Also would prefer snapper instead of timeshift.
If you like snapper: why not choose Suse?
2. Can you incorporate Secure Boot (actually signed grub, initramfs, everything that gets loaded) + TOTP attestation against evil maid using TPM into this setup next time?
I think Secure Boot would be possible. Note though that Pop uses the systemd bootloader and not grub. There is no downside to also install grub. Regarding the other things you propose: I've never heard of those, so I don't know. In any case, for my security thread level my current setup is more than sufficient. That is I fear 2 things: 1. I loose my laptop. 2. I mess up something.
Regarding 1) luks encryption is sufficient for me. Regarding 2) btrfs subvolumes and timeshift are sufficient for me.
Hey Willi, I'm currently stuck with installing the new kernel. I compiled and installed the kernel + modules, made update-initramfs, but upon rebooting to the new kernel, I first get the message "waiting for encrypted source device UUID=..." which was my swap.
I then looked it up and others solved it by disabling the swap and removing it from /etc/cryptdata and /etc/fstab. When I did that, booting to the new kernel dropped me into busybox, saying UUID for my system partition wouldn't exist.
You know how to help? Thanks!
Hope you figured it out?
@wmutschl i eventually figured it out, I have a healthy system on both my main pc and my laptop. I did my main system without an encrypted root partition on my main system because I had difficulties with LUKS back then.
1. Why do we have to do the install without subvolumes and then move things around instead of creating and mounting the subvolumes before the install and just not having the installer format anything? Would the installer fail?
Because pop's installer does neither create subvolumes nor installs the system inside the subvolumes. It always uses the top-level to install the system. That is why I move the installed files into the corresponding subvolumes. The names of the subvolumes are chosen such that Timeshift works out of the box without manually changing its code (which I do for Fedora).
@@wmutschl I assume that Timeshift is also the reason why you create 2 subvolumes (root + home) after system install, instead of only a home and keep the main root subvolume that is already there (?)
Absolutely great guide btw. I'm not too tech savvy in linux but this just worked from the first try. Thank you.
How can we have the home folder in a separate disk and then also how to reinstall ontop without wiping that home folder? I haven't found that in your videos, it will be nice showing us the way. This would be really beneficial since one can actually revert to the original state without losing personal files and settings.
Good work your videos really informative.
Actually, your home data are in a separate subvolume @home, so you can decide whether or not you also revert your personal files and settings or keep them as the system files are in the @ subvolume. In other words: when you restore a snapshot of @ with Timeshift, it asks you explicitly if you also want to restore the @home snapshot which in almost all cases you don't want to do. But even if you click this accedentially, your data is not lost as timeshift does not delete the subvolumes, so you can again revert back.
For timeshift it is not a problem to use the @home subvolume from a different disk. So simply format your disk with btrfs (with or without luks encryption up to you), then create a @home subvolume, move your files there and make the appropriate changes to your fstab. If you also use luks encryption then you would also need to adapt your crypttab and maybe create luks keys to automatically unlock you home partition after you entered the password for your root partition. Have a look at my Ubuntu guides how this can be done.
@@googleuser1968
Allow me to be the translator of Willi’s reply.
Willi’s reply…@home is separate sub volume.
Think of it as External Drive like D: or so. I.e. drive letter you see when a separate volume containing data is attached. Just because your USB stick show up as D Drive in my computer doesn’t make it part of your computer’s internal volume.
Just like C Drive containing windows root and OS data and D Drive for user data such as USB Stick is used here as an example to to help your understand differences between volume and it’s mounting.
Here @home is separate logical volume which is mounted at path /home. Just like USB stick showing up as D Drive in my computer in windows.
When windows take system backup before you install un-signed driver for potential rollback, it doesn’t copy data from D Drive.
Anyway, I tried to explain by giving example of windows for illustration only. It was just an attempt to help fellow new user understand and appreciate capabilities that BTRFS offers.
I very well understand that Linux and Windows are managing physical and logical volumes in totally different manner but this is reply for new Linux user not for Linux expert’s approval. So, forgive me for any inaccuracies.
What do we do if we get to 10:53 and only have 3 partitions instead of 4?
Run for your life :-) No honestly, start over in a VM and practice the steps.
i have just one question. What to do if a person needs 16GiB of swap ?
This video helped me understand how to do this same partitions manually and after that I followed the rest of the steps in this video :)
th-cam.com/video/7xeIkAGEvG0/w-d-xo.html
Hope it helps!
swap can come in two options. either partition or swap file. so sometimes it's easier to go with a file
On btrfs you need some special treatment of swap files.
I'm dual booting pop os with Windows on the same SSD, therefore I just can't do a clean install by wiping the whole disk. So naturally there's also no encryption option available. Which steps should I ignore in this case?
Disclaimer: don't break your Windows installation because of my advice xD
Prepare partitions using gparted or whatever, do the custom installation with btrfs root partition and then ignore everything about "unlocking" the luks partition (since our partition is not locked or encrypted), and ignore changing crypttab. Every time you `mount` your btrfs partition you must use the correct device from `/dev`. Gparted can tell you that name. E.g. mine was `/dev/nvme1n1p4` since I installed on a partition from a nvm ssd drive. Yours might be similar or maybe will be called `sda`, `sdb`, etc.
Good luck with dual booting but I'm afraid that Windows will keep breaking your efi. It's way easier to have Windows on a separate physical device, with it's own efi partition. If you must have both OSes on the same drive, then it's better to install Windows second. I managed to give Windows it's own, second efi partition and keep the original efi for the Linux installation, but I can't instruct you about it here.
@@wiciu4073 Thanks! I'll back up my data and give it a try
Can you please tell me the difference between PopOS recovery and Timeshift. Can we recover files in *~/* directory?
TImeshift is just a program which reads the btrfs system where our partitions are stored. Both home and system partitions, so yes, even ~/ will be recovered
Recovery is basically your iso file that you used to install the system from a USB stick. It is a live environment. Timeshift is a frontend for the btrfs snapshot system (or alternatively rsync for non-btrfs).
@@wmutschl thanks
How come I didn’t have recovery partition like you do?
Did you add the label /recovery when installing the system?
@@wmutschl I didn't see option for that.
@@nandurx Check at 11:25
Someone have used this guide for ubuntu 22.04? Thanks.
I haven't unfortunately.
Could you do a pop os raid 0 guide please
No, I don't like RAID0.
Is there a way to do this without having to encrypt?
Yes totally! Just don't select encryption in the installer, skip the cryptsetup commands in the post installation steps, and replace /dev/mapper/data-root with /dev/sda3 (or the name of the partition which you installed on). Also you don't have to add the discard option to the crypttab (obviously). I am running the same setup without encryption on my server for which I also posted an installation video you can have a look at. Cheers!
@@wmutschl,thanks!
I install pop os on flash drive and it going only with ext4 FS, and its more simple way to encrypt this system, why dont you add this way in this magic vid?
for lucks POP is bit of a total hot mess, you should be able to install it in one hit, not twice, mint lets me do luks in one hit
For everyone getting an error at 28:30 which says EFI variables is not supported on this system:
You need to bind /sys/firmware/efi/efivars too.
for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do mount -B $i /mnt$i; done
Oh and don't forget to mount /boot/efi if it isn't
Thank you very much. If you hadn't made this comment it would have quite literally ruined my day (it's a long story) 😅
Thank you very much for this comment 👍
Many thanks for spotting this!
Thank you!