Timeshift protects system state (OS snapshots), not full-user-data backups. Hardening focuses on snapshot storage integrity, root privilege boundaries, and restore safety.
¶ 1) Protect snapshot storage and retention
- Store snapshots on dedicated disk/partition separate from active root filesystem where possible.
- Restrict snapshot directory permissions (
/timeshift / Btrfs subvolumes).
- Define retention policy to avoid disk exhaustion.
- Monitor free space and snapshot job failures.
¶ 2) Secure execution and restore operations
- Run Timeshift operations only through privileged trusted admins.
- Log snapshot create/delete/restore actions.
- Validate restore path in test or staging systems before production restores.
- Keep rescue media available for offline rollback.
- Pair Timeshift with data-backup tools (restic/rclone/duplicity) for user data.
- Document what is and is not covered by Timeshift snapshots.
- Ensure encryption-at-rest on disks containing snapshots.
- Keep Timeshift package updated with distro security updates.
¶ Verification commands
timeshift --version
timeshift --list 2>/dev/null | head
ls -ld /timeshift 2>/dev/null
sudo btrfs subvolume list / 2>/dev/null | grep -i timeshift
- Timeshift repository/docs: https://github.com/linuxmint/timeshift
- Timeshift package docs (Debian/Ubuntu): https://packages.debian.org/search?keywords=timeshift