Creating a Bootable Backup USB with Encryption for Pop!_OS
What happened
A Linux user published a concise how‑to for building a fully encrypted, bootable USB backup for Pop!_OS, walking through partitioning, LUKS encryption, rsyncing a full system copy, and installing systemd‑boot inside a chroot. The writeup — originally shared on a blog and discussed on Hacker News — lays out the commands end‑to‑end, from gdisk to bootctl. Want a road‑worthy clone of your workstation you can actually boot from if things go sideways? This is the recipe.
The nuts and bolts
The guide creates a GPT layout with a small EFI System Partition and a larger Linux partition, then applies LUKS to the root partition (cryptsetup luksFormat /dev/sdX2; luksOpen … usb_crypt), formats the ESP as FAT32 and the decrypted mapper as ext4, and mounts them under /mnt/backup_usb (with /boot/efi mounted from the ESP). The author uses rsync -avhPHAXx --numeric-ids to copy / to the USB while excluding runtime mounts, then updates /etc/fstab on the USB with the new UUIDs (blkid to fetch them). A simple crypttab entry like usb_crypt UUID=
Why it matters (and a few caveats)
This is a practical, do‑it‑yourself disaster recovery approach: encrypted, portable, and bootable — exactly what you want when your main disk takes a dive. But beware: device names (sdX) will differ, UUIDs matter, and one wrong rsync exclude or mount binding can break the copy or your host system. The post assumes UEFI firmware and Pop!_OS/systemd‑boot behavior; it has been reported that results vary across different distributions and firmware quirks, so test the drive before you need it.
Bottom line
If you like owning your backups rather than trusting cloud magic, this is a tidy, reproducible method to carry a full, encrypted Pop!_OS snapshot in your pocket. Follow the commands carefully, double‑check UUIDs, and don’t skip the test boot — because theory and reboot are not the same thing.
Sources: hajo.me, Hacker News
Comments