Download the ISO image on the official Artix Linux website. We will choose the artix-base-dinit-x86_64.iso version to get Artix Linux with dinit. The partitions for our machine will be like the following

System: UEFI & GPT
+----------------------+----------------------+----------------------+----------------------+
| EFI system partition | BTRFS Subvolume 1    | BTRFS Subvolume 2    | BTRFS Subvolume 3    |
|                      |                      |                      |                      |
| /efi (fat32)         | / (btrfs)            | /home (btrfs)        | [@snapshots]         |
|                      |                      |                      |                      |
| /dev/your-disk-1     |----------------------+----------------------+----------------------+
| unencrypted          | /dev/your-disk-2 encrypted using LUKS2                             |
+----------------------+--------------------------------------------------------------------+
|                              physical disk - /dev/your-disk                               |
+-------------------------------------------------------------------------------------------+

Use this schema as reference if you're lost with what disk or partitions I use in the commands

This approch is using BTRFS with LUKS2 to encrypt our entire system. We will also later on protect our /efi partition using secure boot. This will provide maximum security for our data.

During this guide, I will reference the disk as either /dev/your-disk or a variant of this to indicate a specific partition. You will be able to see if your disk is /dev/sda for a hard drive or /dev/nvme0n1 for an M.2 SSD or any other in the section about wiping your disk.

Locate the ISO you downloaded on your machine and use a tool like dd on Linux or Rufus on Windows to flash the usb.

Here is the command to run as root to flash the USB on Linux

dd bs=4M if=path/to/artix-base-dinit-x86_64.iso of=/dev/my-usb conv=fsync oflag=direct status=progress

Once the USB is flashed, plug the USB in your PC when it's shutdown, press the boot menu choice key or change the bootable order in your BIOS and boot onto the USB.

You might need to edit the GRUB boot options depending on your hardware or else you'll get a black screen once you loaded the live OS. Press e on the Stick/HDD option of the menu and add ‘nomodeset’ at the end of the line that starts with linux.

linux ... nodemoset

Press f10 to boot. You should now have access to the root terminal of your live Artix Linux.

Use the default credentials

username: root
password: artix

Change your keyboard mapping if you didn't change the keytable in the GRUB options.

loadkeys <keymap> # Ex: loadkeys fr # For azerty layout

This step ensure that you start with a fresh disk. You can use whatever disk manager tool you’re comfortable with. Be careful if you have data on this drive it will be deleted!

List your partitions and disks:

lsblk

Wipe the data ⚠️ THIS WILL DELETE ALL THE DATA ON THE SELECTED DISK ⚠️. This can take a long time depending on the size of your disk and your CPU.

dd bs=4096 if=/dev/urandom iflag=nocache of=/dev/your-disk oflag=direct status=progress || true

WAIT for the process to finish and run

sync

We're going to need to connect to the network to install the necessary packages. Follow those steps to connect to the WIFI using wpa_supplicant provided in the live install of Artix.

rfkill unblock wlan
ip link set wlan0 up
wpa_cli
add_network
set_network (id) ssid "myssid"
set_network (id) psk "mypassword"
enable_network (id)

We're going to use the parted tool to create our partitions. Let's download it

pacman -S parted

Create a GPT partition table

parted -s /dev/your-disk mklabel gpt

We're going to use the UEFI & GPT combo. The first partition is going to hold our bootloader and the rest will be encrypted LUKS. We're also going to use btrfs instead of ext4 to get filesystem snapshots, builtin subvolumes and because it's a more recent filesystem.

parted -s -a optimal /dev/your-disk mkpart "primary" "fat32" "0%" "512MiB"
parted -s /dev/your-disk set 1 esp on
parted -s -a optimal /dev/your-disk mkpart "primary" "512MiB" "100%"

Print the partition table of a drive and see if the alignment of your partition is optimal

lsblk
parted -s /dev/your-disk align-check optimal 1
parted -s /dev/your-disk align-check optimal 2

Now we're going to encrypt our disk. To get started run the next command to see the performance of every cipher on your machine

cryptsetup benchmark

To generate a strong password, you can use this tool: https://rumkin.com/tools/password/

Next we're going to encrypt the disk using one of the stronger cipher proposed by the benchmark.

cryptsetup -v --pbkdf pbkdf2 -c aes-xts-plain64 -s 256 --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/your-disk-2

Then we mount using the device mapper. A possible reboot here can fix issues mounting the partition.

cryptsetup luksOpen /dev/your-disk-2 alpha

btrfs subvolume create /mnt/@root

Now unmount to change so we can change the mounting options

We can format each partition to use the correct file system.

mkfs.fat -n ESP -F 32 /dev/your-disk-1
mkswap -L SWAP /dev/alpha/volSwap
mkfs.btrfs -L ROOT /dev/alpha/volRoot
mkfs.btrfs -L HOME /dev/alpha/volUser

You might get some errors from btrfs, you can check the filesystem using lsblk -f

We can finally mount our newly created partitions.

swapon /dev/alpha/volSwap
mount /dev/alpha/volRoot /mnt
mkdir -p /mnt/boot/efi
mount /dev/your-disk-1 /mnt/boot/efi
mkdir /mnt/home
mount /dev/alpha/volUser /mnt/home

We did it! We can finally install Artix to our system.

It's time to install all the necessary packages for your brand new os.

First we're going to install the base. I chose dinit but you can use runit openrc or s6 and I also added seatd instead of elogind to keep the philosophy of Artix

basestrap -i /mnt base base-devel dinit seatd seatd-dinit dbus-dinit

Then we're going to chose linux-hardened for more security. We're also using seatd and turnstile instead of elogind. We're going to install turnstile later on.

basestrap -i /mnt linux-firmware linux-hardened linux-hardened-headers booster cryptsetup btrfs-progs dhcpcd dhcpcd-dinit iwd iwd-dinit acpi chrony chrony-dinit openssh man

And finally we're going to install additional packages

basestrap -i /mnt doas vim git amd-ucode fastfetch

Feel free to replace the amd-ucode with the necessary drivers for your CPU (intel-ucode). We're going to install GPU drivers later on.

Generate the fstab

fstabgen -U /mnt >> /mnt/etc/fstab

Ensure everything is listed correctly

cat /mnt/etc/fstab

If you're missing an entry, add it manually, for example this is the command to add your /home

echo -e "# /dev/mapper/alpha-volUser LABEL=HOME\nUUID=`blkid -s UUID -o value /dev/alpha/volUser`\t/home\t\text4\t\trw,relatime\t0 2\n" | tee -a /mnt/etc/fstab

tmpfs is a temporary filesystem that resides in memory or swap partitions. Without systemd, only the /run directory uses tmpfs by default. We can change the size of tmpfs partition using this command

echo -e "\ntmpfs\t\t\t\t\t\t/tmp\t\ttmpfs\t\trw,nosuid,nodev,relatime,size=8G,mode=1777\t0 0\n" | tee -a /mnt/etc/fstab

artix-chroot /mnt /bin/bash

Set your new root password

passwd

Since we're using doas instead of sudo and for whatever reason sudo is a dependency of base-devel, we will remove it now

pacman -Rdd sudo

First we need to generate our local. It is recommanded to use en_US

echo -e "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
export LANG=en_US.UTF-8

Then we need to switch our timezone

ln -s /usr/share/zoneinfo/your-continent/your-city /etc/localetime
hwclock --systohc

Setup your hostname, in this example "Artix"

echo "Artix" > /etc/hostname

And finally we need to add our static hosts

vim /etc/hosts

And insert this

127.0.0.1    localhost
::1          localhost
127.0.1.1    myhostname.localdomain    myhostname

Add your keymaps in vconsole

echo "KEYMAP=fr" > /etc/vconsole.conf

Next we're going to create a user account

useradd -m myuser
passwd myuser
usermod -aG wheel,storage,power myuser

We need to enable the use of doas for the wheel group. To do that create doas.conf

vim /etc/doas.conf

And add

permit :wheel

If you wan to persist your password in your terminal after you used it once, you can change the doas.conf to this

permit persist :wheel

Keep in mind that this is not as secure as typing your password every time.

We're going to use booster instead of the more traditional mkinitcpio. Here is the config we're going to use in /etc/booster.yaml

universal: false
modules: btrfs
mount_timeout: 30s

Now we can build our image. Be sure to check your kernel version with ls /usr/lib/mobules or uname -r

booster build -f --kernel-version -6.10.12-hardened1-1-hardened /boot/booster-linux-hardened.img

Let's install our bootloader GRUB

pacman -S grub efibootmgr

Run this command to add the correct configuration. Make sure you reference the correct partition (it should be your second one)

sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"cryptdevice=UUID=`blkid -s UUID -o value /dev/your-disk-2`:alpha loglevel=3 quiet resume=UUID=`blkid -s UUID -o value /dev/alpha/volSwap` net.iframes=0\"/" /etc/default/grub

Next open the file and check if the output of the previous command is correct

vim /etc/default/grub

Then uncomment this line

GRUB_ENABLE_CRYPTODISK="y"

Save the file and run the next two commands to install and generate the config

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=artix --recheck /dev/your-disk
grub-mkconfig -o /boot/grub/grub.cfg

Check the output of the command to see if it used our booster-linux-hardened image we created earlier

It seems like we can now boot into our system.

Exit the termnial, unmount the partitions and reboot !

exit
umount -R /mnt
swapoff -a
sync
reboot

Because we didn't install networkmanager, we're going to enable the dhcpcd service as root to get an ip adress

doas dinitctl enable dbus
doas dinitctl enable dhcpcd

We will also enable other services

doas dinitctl enable chrony

If you installed iwd in the basestrap, you can connect to the wifi by running

doas dinitctl enable iwd
iwctl
station name connect SSID

You can also change your DNS to whatever you want (don't use one that tracks you please). You can prevent the file from being updated if you want your DNS configuration to be persistent.

vim /etc/resolv.conf
chattr +i /etc/resolv.conf

You're DONE !! Congratulation, you're well on your way to have a secure system. See the next page of the wiki to upgrade the security of your newly installed system.