Download the ISO image on the official Artix Linux website. We will choose the artix-base-dinit-x86_64.iso version to get Artix Linux with dinit. The partitions for our machine will be like the following

System: UEFI & GPT
+----------------------+----------------------+----------------------+----------------------+
| EFI system partition | Logical volume 1     | Logical volume 2     | Logical volume 3     |
|                      |                      |                      |                      |
| /efi                 | /                    | [SWAP]               | /home                |
|                      |                      |                      |                      |
|                      | /dev/alpha/volRoot   | /dev/alpha/volSwap   | /dev/alpha/volUser   |
| /dev/your-disk-1     |----------------------+----------------------+----------------------+
| unencrypted          | /dev/your-disk-2 encrypted using LVM on LUKS1                      |
+----------------------+--------------------------------------------------------------------+
|                              physical disk - /dev/your-disk                               |
+-------------------------------------------------------------------------------------------+

Use this schema as reference if you're lost with what disk or partitions I use in the commands

This approch is using LVM on LUKS to encrypt our entire system. We will also later on protect our boot/efi partition using the secure bios and an additional tool. This will provide maximum security for our data.

During this guide, I will reference the disk as either /dev/your-disk or a variant of this to indicate a specific partition. You will be able to see if your disk is /dev/sda for a hard drive or /dev/nvme0n1 for an M.2 SSD or any other in the section about wiping your disk.

Locate the ISO you downloaded on your machine and use a tool like dd on Linux or Rufus on Windows to flash the usb.

Here is the command to run as root to flash the USB on Linux

dd bs=4M if=path/to/artix-base-dinit-x86_64.iso of=/dev/my-usb conv=fsync oflag=direct status=progress

Once the USB is flashed, plug the USB in your PC when it's shutdown, press the boot menu choice key or change the bootable order in your BIOS and boot onto the USB.

You might need to edit the GRUB boot options depending on your hardware or else you'll get a black screen once you loaded the live OS. Press e on the Stick/HDD option of the menu and add ‘nomodeset’ at the end of the line that starts with linux.

linux ... nodemoset

Press f10 to boot. You should now have access to the root terminal of your live Artix Linux.

Use the default credentials

username: root
password: artix

Change your keyboard mapping if you didn't change the keytable in the GRUB options.

loadkeys <keymap> # Ex: loadkeys fr # For azerty layout

This step ensure that you start with a fresh disk. You can use whatever disk manager tool you’re comfortable with. Be careful if you have data on this drive it will be deleted!

List your partitions and disks:

lsblk

Wipe the data ⚠️ THIS WILL DELETE ALL THE DATA ON THE SELECTED DISK ⚠️. This can take a long time depending on the size of your disk and your CPU.

dd bs=4096 if=/dev/urandom iflag=nocache of=/dev/your-disk oflag=direct status=progress || true

WAIT for the process to finish and run

sync

We're going to need to connect to the network to install the necessary packages. Follow those steps to connect to the WIFI using wpa_supplicant provided in the live install of Artix.

rfkill unblock wlan
ip link set wlan0 up
wpa_cli
add_network
set_network (id) ssid "myssid"
set_network (id) psk "mypassword"
enable_network (id)

We're going to use the parted tool to create our partitions. Let's download it

pacman -Syu
pacman -S parted

Create a GPT partition table

parted -s /dev/your-disk mklabel gpt

We're going to use the UEFI & GPT combo. The first partition is going to hold our bootloader and the rest will be encrypted using LVM on LUKS. We're also going to use btrfs instead of ext4 to get filesystem snapshots and because it's a more recent filesystem.

parted -s -a optimal /dev/your-disk mkpart "primary" "fat32" "0%" "512MiB"
parted -s /dev/your-disk set 1 esp on
parted -s -a optimal /dev/your-disk mkpart "primary" "btrfs" "512MiB" "100%"
parted -s /dev/your-disk set 2 lvm on

Print the partition table of a drive and see if the alignment of your partition is optimal

lsblk
parted -s /dev/your-disk align-check optimal 1
parted -s /dev/your-disk align-check optimal 2

Now we're going to encrypt our disk. To get started run the next command to try to force the unlocking of stronger ciphers

cryptsetup benchmark

If that didn't work and you get an N/A on serpent-xts, try rebooting your live environment.

To generate a strong password, you can use this tool: https://rumkin.com/tools/password/

Next we're going to encrypt the disk using one of the stronger cipher proposed by the benchmark.

cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash sha512 --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/your-disk-2

Then we mount using the device mapper. A possible reboot here can fix issues mounting the partition.

cryptsetup luksOpen /dev/your-disk-2 alpha

Now it's possible to create the physical volume

pvcreate /dev/mapper/alpha

And finally the logical volume that we'll call alpha

vgcreate alpha /dev/mapper/alpha

Next we can create the 3 partitions needed: swap user and root

lvcreate --contiguous y --size 16G alpha --name volSwap
lvcreate --contiguous y --size 400G alpha --name volUser
lvcreate --contiguous y --extents +100%FREE alpha --name volRoot

We can format each partition to use the correct file system.

mkfs.fat -n ESP -F 32 /dev/your-disk-1
mkswap -L SWAP /dev/alpha/volSwap
mkfs.btrfs -L ROOT /dev/alpha/volRoot
mkfs.btrfs -L HOME /dev/alpha/volUser

We can finally mount our newly created partitions.

swapon /dev/alpha/volSwap
mount /dev/alpha/volRoot /mnt
mkdir -p /mnt/boot/efi
mount /dev/your-disk-1 /mnt/boot/efi
mkdir /mnt/home
mount /dev/alpha/volUser /mnt/home

We did it! We can finally install Artix to our system.

It's time to install all the necessary packages for your brand new os.

First we're going to install the base. I chose dinit but you can use runit openrc or s6 and I also added seatd instead of elogind to keep the philosophy of Artix

basestrap -i /mnt base base-devel dinit seatd seatd-dinit dbus-dinit

Then we're going to chose linux-hardened for more security. We're also using seatd and turnstile instead of elogind. We're going to install turnstile later on. (TODO: try booster instead of mkinitcpio)

basestrap -i /mnt linux-firmware linux-hardened linux-hardened-headers mkinitcpio dhcpcd dhcpcd-dinit iwd iwd-dinit acpi acpid acpid-dinit chrony chrony-dinit openssh man

And finally we're going to install additional packages

basestrap -i /mnt doas vim git amd-ucode fastfetch

Feel free to replace the amd-ucode with the necessary drivers for your CPU (intel-ucode). We're going to install GPU drivers later on.

Generate the fstab

fstabgen -U /mnt >> /mnt/etc/fstab

Ensure everything is listed correctly

cat /mnt/etc/fstab

If you're missing an entry, add it manually, for example this is the command to add your /home

echo -e "# /dev/mapper/alpha-volUser LABEL=HOME\nUUID=`blkid -s UUID -o value /dev/alpha/volUser`\t/home\t\text4\t\trw,relatime\t0 2\n" | tee -a /mnt/etc/fstab

tmpfs is a temporary filesystem that resides in memory or swap partitions. Without systemd, only the /run directory uses tmpfs by default. We can change the size of tmpfs partition using this command

echo -e "\ntmpfs\t\t\t\t\t\t/tmp\t\ttmpfs\t\trw,nosuid,nodev,relatime,size=8G,mode=1777\t0 0\n" | tee -a /mnt/etc/fstab

artix-chroot /mnt /bin/bash

Set your new root password

passwd

Since we're using doas instead of sudo and for whatever reason sudo is a dependency of base-devel, we will remove it now

pacman -Rdd sudo

First we need to generate our local. It is recommanded to use en_US

echo -e "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
export LANG=en_US.UTF-8

Then we need to switch our timezone

ln -s /usr/share/zoneinfo/your-continent/your-city /etc/localetime
hwclock --systohc

Setup your hostname, in this example "Artix"

echo "Artix" > /etc/hostname

And finally we need to add our static hosts

vim /etc/hosts

And insert this

127.0.0.1    localhost
::1          localhost
127.0.1.1    myhostname.localdomain    myhostname

Add your keymaps in vconsole

echo "KEYMAP=fr" > /etc/vconsole.conf

Next we're going to create a user account

useradd -m myuser
passwd myuser
usermod -aG wheel,storage,power myuser

We need to enable the use of doas for the wheel group. To do that create doas.conf

vim /etc/doas.conf

And add

permit :wheel

If you wan to persist your password in your terminal after you used it once, you can change the doas.conf to this

permit persist :wheel

Keep in mind that this is not as secure as typing your password every time.

pacman -S cryptsetup lvm2 lvm2-dinit
dinitctl enable lvm2

vim /etc/mkinitcpio.conf

And insert encrypt lvm2 and resume between the block and filesystems parameters

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block filesystems fsck)

Should become

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 resume filesystems fsck)

Next, we will create a key to decrypt our disk during boot by our bootloader. If we don't do that, we will be prompted for our encryption key twice instead of one directly on boot. The default path for that key is /crypto_keyfile.bin. BE CAREFUL to never leak this key because it can fully decrypt your disk. We will generate it like this

dd if=/dev/random of=/crypto_keyfile.bin bs=512 count=8 iflag=fullblock
chmod 000 /crypto_keyfile.bin

Add the file to the FILES hook of /etc/mkinitcpio.conf and register your key.

sed -i "s/FILES=(/FILES=(\/crypto_keyfile.bin/g" /etc/mkinitcpio.conf
cryptsetup luksAddKey /dev/your-disk-2 /crypto_keyfile.bin

Compile the image and you're ready to go

mkinitcpio -p linux-hardened

We should get a successfull image generation

Let's install GRUB

pacman -S grub efibootmgr

Run this command to add the correct configuration. Make sure you reference the correct lvm partition (it should be your second one)

sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"cryptdevice=UUID=`blkid -s UUID -o value /dev/your-disk-2`:alpha loglevel=3 quiet resume=UUID=`blkid -s UUID -o value /dev/alpha/volSwap` net.iframes=0\"/" /etc/default/grub

Next open the file and check if the output of the previous command is correct

vim /etc/default/grub

Then uncomment this line

GRUB_ENABLE_CRYPTODISK="y"

And add to GRUB_PRELOAD_MODULES cryptodisk

GRUB_PRELOAD_MODULES="cryptodisk part_gpt part_msdos"

Save the file and run the next two commands to install and generate the config

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=artix --recheck /dev/your-disk
grub-mkconfig -o /boot/grub/grub.cfg

Check the output of the command to see if it used our linux-hardened image we created earlier

If you're using something other than the default US keyboard, you're going have to generate a keymap for GRUB to use.

First, you're going to need to setup the AUR repositories. Check this page of the wiki. Next, we're going to add this package

yay -S ckbcomp

We're going to add this line to our default grub

echo "GRUB_TERMINAL_INPUT=at_keyboard" | tee -a /etc/default/grub

Open /etc/grub.d/40_custom and paste those lines

insmod keylayouts
keymap /boot/grub/fr.gkb

Then generate the keymap and update GRUB

grub-kbdcomp -o /boot/grub/fr.gkb fr
update-grub

Voila, you should have your custom keymap on your next reboot

It seems like we can now boot into our system.

Exit the termnial, unmount the partitions and reboot !

exit
umount -R /mnt
swapoff -a
sync
reboot

Because we didn't install networkmanager, we're going to enable the dhcpcd service as root to get an ip adress

doas dinitctl enable dbus
doas dinitctl enable dhcpcd

We will also enable other services

doas dinitctl enable chrony

If you installed iwd in the basestrap, you can connect to the wifi by running

doas dinitctl enable iwd
iwctl
station name connect SSID

You can also change your DNS to whatever you want (don't use one that tracks you please). You can prevent the file from being updated if you want your DNS configuration to be persistent.

vim /etc/resolv.conf
chattr +i /etc/resolv.conf

You're DONE !! Congratulation, you're well on your way to have a secure system. See the next page of the wiki to upgrade the security of your newly installed system.