Installation

• Install the first time using the Recommended Partition layout, choose to encrypt the disk.

• Then, quit the installer and open a terminal.

• Check the encrypted partition created: sudo cryptsetup luksDump <crypt-partition>

• Open the encrypted partition: sudo cryptsetup luksOpen <crypt-partition> cryptdata (this mounts crypt-partition as device cryptdata)

• ls /dev/mapper (I should see cryptdata and data-root there)

• IMPORTANT: PopOS default install uses LVM. Commands useful to inspect the setup:

  • To list the LVM Physical Volume: sudo pvs, where:
    • PV: Physical Volume
    • VG: Volume Group
  • To List the LVM Volume Groups: sudo vgs, where:
    • LV: Logical Volume
  • To list all the Logical Volumes: sudo lvs, where: LV: Logical Volume Name (you should see “root” here on the default install)

• Close the encrypted partition:

$ sudo cryptsetup luksClose /dev/mapper/data-root
$ sudo cryptsetup luksClose /dev/mapper/cryptdata

• To make sure it was properly closed: ls /dev/mapper (I should not see cryptdata and data-root there)

• Close the terminal and trigger “Install” again (this will be the final installation). Follow the steps, and trigger a Custom (Advanced) install, then do the following: IMPORTANT: partitions that will be formatted will have a black checkmark

  • 1st partition: /boot/efi, format.
  • 2nd partition: /recovery, fat32, format.
  • 4th (last) partition: swap
  • 3rd partition: (you will have to decrypt it with your passphrase). It will then be at the bottom of the screen, as “LVM data”. Then:
    • Check “Use partition”
    • Check “Format”
    • Use as Root (/)
    • filesystem: btrfs
  • After finishing will all partitions, click “Erase and Install” and move on with the installation.

• After the installation finishes, do NOT close the window.

Post-Installation

• Open a terminal where we will do the post-installation steps:

$ sudo -i  # to become root
$ cryptsetup luksOpen <root-partition> crypdata
$ ls /dev/mapper  # list logical volumes
$ mount -o subvolid=5,defaults,compress=zstd:1,discard=async /dev/mapper/data-root /mnt # mount the logical volume, 5 is the top level btrfs partition root
$ ls /mnt  # there is now the filesystem of the installed system
$ btrfs subvolume list /mnt  # list btrfs subvolumes - there is none: that is the problem with PopOS default installation!
$ btrfs subvolume create /mnt/@  # this is the root subvolume name expected by timeshift
$ mv /mnt/* /mnt/@/  # move all files to the subvolume - the subvolume is "kinda like" a folder, but it is not ;)
$ ls /mnt  # to make sure all was moved
$ btrfs submolume list /mnt  # now it should show a subvolume at path @
$ btrfs subvolume create /mnt/@home  # this is the home subvolume name expected by timeshift
$ mv /mnt/@/home/* /mnt/@home/  # moves the home from the root subvolume to the new home subvolume
$ ls -a /mnt/@/home  # there should be nothing there
$ ls -a /mnt/@home  # there should be your home folder
$ btrfs submolume list /mnt  # now it should show a subvolume at path @ and another at path @home

$ nano /mnt/@/etc/fstab # now we should configure the new mount points

# at the existing btrfs mountpoint at "/", add these options to defaults:
# default,subvol=@,compress=zstd:1,discard=async

# copy the line you just changed (with the mouse), open a new line and paste
# then, on the line you just pasted, change "subvol=@" to "subvol=@home". Also,
# change the second field "/" to "/home".

# IMPORTANT: the line was copied because both are on the same partition. ;)

# Now you can quit nano (C-o, <Enter>, C-s).

$ nano /mnt/@/etc/crypttab # now we should configure the crypt mount points

# on the cryptdata line - probably the first on the file, we must add a parameter to luks, so it stays:
# luks,discard
# That is because we have set discard=async as a mount option.

• Tell the systemd boot loader when it load the kernel to go at the @ subvolume: $ nano /mnt/@/etc/kernelstub/configuration:

# on the user key, inside the kernel_options list, add a "," after the "splash" string and on a new line add:
"rootflags=subvol=@"

Then, quit nano with [C-o, , C-s].

• Mount the efi partition (the first one): $ mount /dev/xxx1 /mnt/@/boot/efi

• nano /mnt/@/boot/efi/loader/entries/Pop_OS-current.conf

# On the end of the line that starts with "options" (probably the last one), add below after "splash":
rootflags=subvol=@

Then, quit nano with [C-o, , C-s].

• Add a timeout to systemd boot loader to be able to access the recovery system:

$ nano /mnt/@/boot/efi/loader/loader.conf
# below the line that starts with "default", add:
timeout 10

• Now, go back to the root folder:

$ cd /
$ umount -l /mnt  # umount mnt
$ mount -o subvol=@,defaults,compress=zstd:1,discard=async /dev/mapper/data-root /mnt  # remounts the @ subvolume
$ ls /mnt  # you should see the PopOS install filesystem
$ for i in /dev /dev/pts /proc /sys /run; do mount -B $i /mnt$i; done   # mount bind the important paths into /mnt to prepare to chroot on the next step
$ chroot /mnt  # enters your installation filesystem, as if you have just booted on it
$ mount -av  # makes sure fstab works - the "ignored" are the ones that are already mounted
$ update-initramfs -c -k all  # pass rootflags to the kernel
$ exit  # exits the chroot
$ exit  # go back to the default user
$ exit  # close the terminal

• Now, you can click “Restart Device” on the installation window. This will reboot the machine, remove the USB stick and boot from your hard disk normally.

First boot

• Press “ESC” when it asks for your cryptsetup password, since that will go into a terminal you can use to better inspect what you type and have better feedback in case of errors.

• Login into the machine and do the initial gnome configuration.

• Check everything is OK:

  • See what is mounted: sudo mount -av
  • See what is mounted in detail: sudo mount -v | grep /dev/mapper (check the compress and discard options. The other ones are because of “defaults” on the mount paint, that is an alias to the recommended default options.)
  • Check if swap is being used: sudo swapon
  • check btrfs filesystem:

  $ sudo btrfs filesystem show /
  $ sudo btrfs subvolume list /
  $ sudo systemctl enable fstrim.timer  # helps free space on the SSD frequently
  $ cat /etc/lvm/lvm.conf | grep issue_discards  #  must return "1" on the line
  

• Update, upgrade and reboot: sudo apt update -y && sudo apt upgrade -y && sudo apt full-upgrade && sudo apt autoremove --purge && sudo apt autoclean && sudo reboot

Timeshift

• Install: $ sudo apt install timeshift -y
• Run: sudo timeshift-gtk. Select Btrfs, Next, Select the Disk. On Snapshot Levels, check all EXCEPT Hourly. Next, choose to include User Home Directories or not, click Next. Finish and then manually create the first snapshot.
• To create a snapshot on the CLI: sudo timeshift --create
• Make snapshots when you install packages:

$ sudo apt install git make
$ git clone https://github.com/wmutschl/timeshift-autosnap-apt.git $HOME/timeshift-autosnap-apt
$ cd $HOME/timeshift-autosnap-apt
$ sudo make install
$ sudo nano /etc/timeshift-autosnap.conf
# Change to: snapshotBoot=false (since we do not have a separated /boot partition, only /boot/efi)
# Change to: updateGrub=false (we are not using grub)
# quit nano
$ sudo timeshift-autosnap-apt

• The top folder of the btrfs partition is at: ls /run/timeshift/backup

• The timeshift snapshots are at: ls /run/timeshift/backup/timeshift-btrfs

• If you mess up with the system, you can reboot the machine, go to PopOS Recovery, click Install, select keyboard and move on until you see a button “Try Demo Mode”. Once it starts, run: sudo apt install timeshift to install it. Then, run timeshift, select the disk (ignore if it says it is not a btrfs filesystem, that is because the partition was encrypted) and on the next screen select a snapshot you want to restore. After finished, reboot the machine back into PopOS and you will be back to normal.