Based on Artix Linux: Full Disk Encryption with UEFI with the fixes for some new problems, and - since I'm using AMD PC with an opensource coreboot+SeaBIOS to avoid the proprietary UEFI holes/backdoors (more system info) - I had to replace the UEFI/GPT disk commands with the BIOS/MBR ones.

LiveCD/LiveUSB

Get an Artix Live ISO with your favorite Desktop Environment and OpenRC. Burn it to CD/DVD with Brasero/Xfburn - or write to USB flash drive: after inserting it to your PC, use a

 dmesg

terminal command to learn your drive letter from a Linux kernel log, then write to this USB with

 sudo su
 dd if=~/Downloads/artix-xfce-openrc-20200506-x86_64.iso iflag=nocache bs=4096 | pv | dd of=/dev/sdX oflag=direct bs=4096 || true

where X in sdX is a letter of your USB flash drive, and pv helps to see a progress. If your dd from Coreutils is new enough, pv may be substituted with a status=progress option:

 dd bs=4096 if=~/Downloads/artix-xfce-openrc-20200506-x86_64.iso iflag=nocache of=/dev/sdX oflag=direct status=progress

After executing a dd command, run

 sync

and wait until it completes - to flush the filesystem buffers and make sure that the image writing has been physically done.

While booting from your live media, choose From CD/DVD/ISO option regardless of if you are using a CD/DVD or USB. Those who dared to use the forbidden From Stick/HDD option, experienced problems with polkit and other issues, examples of which can be found: here, here, here etc.

After booting from a LiveCD/LiveUSB, open a terminal and write

 sudo su

to run the subsequent commands under root.

Disk Partitioning

Here is a disk partitioning scheme we are going to get:

 /dev/sdX - physical disk with MBR partition table
 /dev/sdX1 - /boot unencrypted partition
 /dev/sdX2 - encrypted with LUKS (Linux Unified Key Setup) and partitioned into a LVM (Logical Volume Manager) container
 |---> Logical volume 1 - /dev/mapper/lvm-volSwap - swap partition, the size of which is >= size of your RAM (i.e. 16 GB)
 |---> Logical volume 2 - /dev/mapper/lvm-volRoot - / root partition, which gets 100% of remaining free space

Erase a Disk

Learn the X of your desired drive:

 parted -l

Print its' partition table with

 parted -s /dev/sdX print

Check there's nothing important on it, then erase its' partition table and some/all of contents with

 dd bs=4096 if=/dev/zero iflag=nocache of=/dev/sdX oflag=direct status=progress

Let it run for a minute and interrupt with Ctrl+C/Ctrl+Z if you are in a hurry - or wait until it ends - then

 sync

to flush the disk operations.

Create the Partitions

Create a new MBR partition table:

 parted -s /dev/sdX mklabel msdos

Set up a /dev/sdX1 partition for /boot - 1GB should be enough - and set a boot flag:

 parted -s -a optimal /dev/sdX mkpart "primary" "fat16" "0%" "1024MiB"
 parted -s /dev/sdX set 1 boot on

Print the partition table of a drive and see if the alignment of your first partition is optimal:

 parted -s /dev/sdX print
 parted -s /dev/sdX align-check optimal 1

Make a /dev/sdX2 partition which will take the rest of free space - after 1GB of /boot - and set a lvm flag:

 parted -s -a optimal /dev/sdX mkpart "primary" "ext4" "1024MiB" "100%"
 parted -s /dev/sdX set 2 lvm on

Setup the Logical Volumes

The disk encryption will utilize the Linux Unified Key Setup (LUKS), which is now part of an enhanced version of cryptsetup, using dm-crypt (device-mapper crypt) as the disk encryption backend.

To force loading the Linux kernel modules related to Serpent and other strong encryptions from your LiveCD/LiveUSB, run

 cryptsetup benchmark

- and, after it completes, use a command like

 cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX2

to create and format the LUKS partition with your custom encryption flags. Open and mount it using the device mapper - into i.e. lvm-system :

 cryptsetup luksOpen /dev/sdX2 lvm-system

Note: later you will encounter the following warnings - they happen because /run is not available inside the chroot - so you can ignore them:

 WARNING: Failed to connect to lvmetad. Falling back to device scanning.
 /run/lvm/lvmetad.socket: connect failed: No such file or directory
 WARNING: failed to connect to lvmetad: No such file or directory. Falling back to internal scanning.

Now it is possible to create a physical volume using the Logical Volume Manager (LVM) and the previously used id lvm-system as follows:

 pvcreate /dev/mapper/lvm-system

Having the physical volume, it is possible to create a logical volume group named lvmSystem as follows:

 vgcreate lvmSystem /dev/mapper/lvm-system

And having the logical volume group, the logical volumes can be created as follows. As an example, a 16GB for swap (volSwap) and the rest for the root partition (volRoot):

 lvcreate -L 16G lvmSystem -n volSwap
 lvcreate -l +100%FREE lvmSystem -n volRoot

Format the Partitions

Having all physical and virtual disk partitions ready, now it is possible to format them.

Format a boot partition with

 mkfs.fat -n BOOT /dev/sdX1

Format a swap partition with

 mkswap /dev/lvmSystem/volSwap

This command will print a message like

 # Setting up swapspace version 1, size = 16 GiB (17179865088 bytes)
 # no label, UUID=6955244c-c72a-4dec-8dee-079ec743a818

Copy your swap UUID somewhere - you will need it later.

Format a root partition with

 mkfs.ext4 -L volRoot /dev/lvmSystem/volRoot

Mount the Partitions

Having each partition formatted, they can be mounted as follows:

 swapon /dev/lvmSystem/volSwap
 mount /dev/lvmSystem/volRoot /mnt
 mkdir /mnt/boot
 mount /dev/sdX1 /mnt/boot

Artix Installation

With a partition scheme configured above, there is a high chance of getting a GRUB-related error

 Boost.Python error in job "bootloader".

during an Artix Linux installation with a Calamares graphical installer. Since there doesn't seem to be an option to disable the GRUB installation at Calamares, we have to do it by manually editing a related script. Open it with

 nano /usr/lib/calamares/modules/bootloader/main.py

and comment out this line near the end of file at def run() function:

 prepare_bootloader(fw_type)

--->

 # prepare_bootloader(fw_type)

This is fine, since we're going to install GRUB manually a bit later.

Instead of double clicking a Calamares shortcut on a Desktop, I recommend you to launch Calamares from a console - to get more logs, which could be really useful if any problems arise. Extract a launch command from this shortcut with

 cat /home/artix/Desktop/calamares.desktop | grep "Exec"

It should look like

 pkexec env DISPLAY=:0 XAUTHORITY=/home/artix/.Xauthority QT_QPA_PLATFORMTHEME=gtk2 calamares

- however, my command could be outdated, so don't just copy-paste it. Extract your own! Then use it.

While installing with Calamares: at "Partitions / Select storage device" screen - choose "lvmSystem (/dev/lvmSystem)" and "Manual partitioning", and at the next screen - set a mount point / for /dev/lvmSystem/volRoot. "Install bootloader on" - could be anything: it will be ignored thanks to our earlier change of a Calamares script. And the "Option to use GPT on BIOS" popup could be closed.

After completing the installation, simply close a Calamares window without choosing a "Restart now": we need to install and configure the packages and also a bootloader.

Configure the Packages

fstab

Open /mnt/etc/fstab with

 nano /mnt/etc/fstab

and remove all the uncommented lines - they have been created by the Calamares installer. Now, generate the new lines with

 fstabgen -U /mnt >> /mnt/etc/fstab

Optionally, all solid-state disk (SSD) mountpoints can be updated with the discard option to enable TRIM:

 sed -i "s/ordered/ordered,discard/g" /mnt/etc/fstab

However, there are opinions that recommend against TRIM. If in doubt about the hardware, the Periodic TRIM can be applied instead.

As the order of options at the configuration files might change, double check the results of all the sed commands to make sure that they really worked!

Optionally, to change the size of the TMPFS partition (e.g. of size 8GB, i.e. half RAM size), open a /mnt/etc/fstab

 nano /mnt/etc/fstab

and insert this line to the end of it, making sure that the TAB whitespace separators haven't been converted to the regular spaces (TABs should be everywhere except a space between two last zeroes) and without a front space:

 tmpfs	/tmp	tmpfs	nodev,nosuid,size=8G	0 0

chroot

Now, it is time to change root (chroot) to the newly installed environment:

 artools-chroot /mnt /bin/bash

Set up a root password with

 passwd

Update the database of packages by running:

 pacman -Sy

locale, timezone, hostname

System-wide locale (e.g. en_US.UTF-8), timezone and hostname - should have been configured by Calamares. Check it by doing

 cat /etc/locale.gen
 cat /etc/localtime
 cat /etc/conf.d/hostname

If not, configure a locale with

 echo -e "en_US.UTF-8 UTF-8" >> /etc/locale.gen
 locale-gen
 echo LANG=en_US.UTF-8 > /etc/locale.conf
 export LANG=en_US.UTF-8

, timezone with

 ln -s /usr/share/zoneinfo/Continent/City /etc/localtime

, hostname (e.g. 4rt1x) with

 nano /etc/conf.d/hostname

and

 hostname="4rt1x"

mkinitcpio.conf

The /etc/mkinitcpio.conf file enables to set up various kernel parameters. Within the HOOKS part, the encrypt lvm2 needs to be put between block and filesystems keywords in order to enable the Full Disk Encryption. It may also be useful to include the resume keyword to enable suspend to disk options. However, this may not work at all times, such as with hardened kernels.

As the sed might be unreliable because of the possible changes to the options' order, open /etc/mkinitcpio.conf with

 nano /etc/mkinitcpio.conf

and insert encrypt and resume options manually to the following places:

 HOOKS="base udev autodetect modconf block keyboard keymap lvm2 filesystems fsck"

--->

 HOOKS="base udev autodetect modconf block encrypt keyboard keymap lvm2 resume filesystems fsck"

GRUB - Installation

To avoid a GRUB configuration problem described at the end of this post, remove an artix-grub-theme package with its' dependencies:

 pacman -Rc artix-grub-theme

Now, you could install these packages:

 pacman -S lvm2 cryptsetup linux mkinitcpio

During that, initramfs should be re-generated automatically with the encrypt/resume hooks. If not, re-generate initramfs manually:

 mkinitcpio -p linux

After that, a grub package could be installed with

 pacman -S grub

GRUB - Configuration

In order for a GRUB to find the LUKS-encrypted partitions, you'll need to configure it:

 nano /etc/default/grub

Personally I've changed the following lines - without the front spaces:

1) Added a

 # GRUB boot loader configuration

to the top of a file

2) Increased a GRUB timeout from 3 to 15:

 GRUB_TIMEOUT="15"

3) Expanded a GRUB default command line:

 GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

--->

 GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=xxx:lvm-system loglevel=3 quiet resume=UUID=yyy net.ifnames=0"

where '''xxx UUID could be found out with

 blkid -s UUID -o value /dev/sdX2

and yyy UUID - swap UUID - is already known by you from the previous steps.

4) Added

 # Uncomment to enable booting from LUKS encrypted devices
 GRUB_ENABLE_CRYPTODISK="true"

 # Set to 'countdown' or 'hidden' to change timeout behavior,
 # press ESC key to display menu.
 GRUB_TIMEOUT_STYLE="menu"

5) Changed GRUB_GFXMODE:

 GRUB_GFXMODE="1024x768,800x600"

--->

 GRUB_GFXMODE="auto"

6) Moved up the

 GRUB_DISABLE_LINUX_RECOVERY="true"

7) Commented out

 #GRUB_SAVEDEFAULT="true"

and added the quote " symbols around the options.

Here's a final /etc/default/grub from artix-xfce-openrc-20200506-x86_64.iso . If this config isn't outdated - you could use it as a template, just remember to replace the UUID's with your own:

 swap UUID

- you already wrote it down on the previous steps,

 root UUID

- find it out with

  blkid -s UUID -o value /dev/sdX2

Install these optional dependencies:

 pacman -S dosfstools freetype2 fuse2 gptfdisk libisoburn mtools os-prober
 pacman -S iw memtest86+ wpa_supplicant
 pacman -S device-mapper-openrc lvm2-openrc cryptsetup-openrc

Then, you can install GRUB to MBR and generate its' config:

 grub-install --target=i386-pc --boot-directory=/boot --bootloader-id=artix --recheck /dev/sdX
 grub-mkconfig -o /boot/grub/grub.cfg

Other Packages

In order to decrypt and use the LUKS/LVM volumes, the following services need to be installed and activated:

 rc-update add device-mapper boot
 rc-update add lvm boot
 rc-update add dmcrypt boot

The udev service (eudev/eudev-openrc) should be started by default in the sysinit runlevel. Its activation can be confirmed as follows:

 rc-status sysinit | grep udev

- should print this output:

 Service `netmount' needs non existent service `net'
 udev                                                              [  stopped  ]
 udev-trigger                                                      [  stopped  ]

The dbus service should be installed and activated. Should it not, it can be done as follows:

 rc-update add dbus default

The systemd project’s logind should be installed as part of the base meta package. Should it not be activated, it can be done as follows:

 rc-update add elogind boot

The haveged service is a simple entropy daemon useful for unpredictable random number generation, which can be installed and activated as follows:

 pacman -S haveged haveged-openrc
 rc-update add haveged default

Cron job daemons (cronie, fcron etc.) can be installed and activated as follows (e.g. cronie):

 pacman -S cronie cronie-openrc
 rc-update add cronie default

If Network Manager GUI is the desired choice to manage network interfaces, the following needs to be run in order to install and activate the service:

 pacman -S networkmanager networkmanager-openrc networkmanager-openvpn network-manager-applet
 rc-update add NetworkManager default

NTP, ACPI, Syslog-NG daemons can be installed and activated as follows:

 pacman -S ntp ntp-openrc acpid acpid-openrc syslog-ng syslog-ng-openrc
 rc-update add ntpd default
 rc-update add acpid default
 rc-update add syslog-ng default

Useful packages (will include samba, samba client):

 pacman -S artools bash-completion lsof strace
 pacman -S wget htop mc zip samba unrar p7zip unzip
 pacman -S hdparm smartmontools hwinfo dmidecode
 pacman -S whois rsync nmap tcpdump inetutils net-tools ndisc6

In order to access AUR, yaourt can be installed:

 pacman -S yaourt

Exit the chroot and unmount the volumes:

 exit
 umount -R /mnt
 swapoff -a

Flush the disk operations:

 sync

Now a system can be rebooted:

 reboot

First Boot

During the first boot, you might get the following error:

 A password is required to access the lvm-system volume:
 cryptsetup: /usr/lib/libjson-c.so.5: no version information available (required by /usr/lib/libcryptsetup.so.12)
 Enter passphrase for /dev/sdX2:

Ignore this error, enter your passphrase and boot. Then open a console, run

 sudo su

to get the root rights, and fully upgrade your system with

 pacman -Suy

After the upgrade completes, instead of instantly rebooting, please open mkinitcpio.conf with

 nano /etc/mkinitcpio.conf

and make sure that all the HOOKS - especially encrypt --- have been preserved:

 HOOKS="base udev autodetect modconf block encrypt keyboard keymap lvm2 resume filesystems fsck"

If not - manually insert it, then run

 mkinitcpio -p linux

to apply this change.

Troubleshooting

If after a system update, instead of

 A password is required to access the lvm-system volume:
 Enter passphrase for /dev/sdX2:

you are getting

 ERROR: device '/dev/mapper/lvmSystem-volRoot' not found. Skipping fsck.

, maybe encrypt has disappeared from HOOKS of mkinitcpio.conf. To fix this, boot from LiveCD/LiveUSB and do these commands:

 sudo su

- get the root rights,

 cryptsetup benchmark

- to force loading the Serpent-related Linux kernel modules

 cryptsetup luksOpen /dev/sdX2 lvm-system
 mount /dev/lvmSystem/volRoot /mnt
 mount /dev/sdX1 /mnt/boot

- mount the partitions,

 artools-chroot /mnt /bin/bash

- enter the chroot

 nano /etc/mkinitcpio.conf

- insert the "encrypt" to HOOKS:

 HOOKS="base udev autodetect modconf block encrypt keyboard keymap lvm2 resume filesystems fsck"

, and, finally,

 mkinitcpio -p linux

to apply this change.

Quick command summary

WARNING: uses /dev/sda

 sudo su
 parted -l
 parted -s /dev/sda print
 dd bs=4096 if=/dev/zero iflag=nocache of=/dev/sda oflag=direct status=progress
 sync
 parted -s /dev/sda mklabel msdos
 parted -s -a optimal /dev/sda mkpart "primary" "fat16" "0%" "1024MiB"
 parted -s /dev/sda set 1 boot on
 parted -s /dev/sda print
 parted -s /dev/sda align-check optimal 1
 parted -s -a optimal /dev/sda mkpart "primary" "ext4" "1024MiB" "100%"
 parted -s /dev/sda set 2 lvm on
 cat /proc/crypto | grep "serp"
 cryptsetup benchmark
 cat /proc/crypto | grep "serp"
 cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sda2
 cryptsetup luksOpen /dev/sda2 lvm-system
 pvcreate /dev/mapper/lvm-system
 vgcreate lvmSystem /dev/mapper/lvm-system
 lvcreate -L 16G lvmSystem -n volSwap
 lvcreate -l +100%FREE lvmSystem -n volRoot
 mkfs.fat -n BOOT /dev/sda1
 mkswap /dev/lvmSystem/volSwap
 # Setting up swapspace version 1, size = 16 GiB (17179865088 bytes)
 # no label, UUID=313d2746-396a-4b2f-9b6b-cf174fbee7cd
 ### ^^^ REMEMBER THIS UUID, YOU WILL NEED IT LATER
 mkfs.ext4 -L volRoot /dev/lvmSystem/volRoot
 swapon /dev/lvmSystem/volSwap
 mount /dev/lvmSystem/volRoot /mnt
 mkdir /mnt/boot
 mount /dev/sda1 /mnt/boot
 ###
 nano /usr/lib/calamares/modules/bootloader/main.py
 cat /home/artix/Desktop/calamares.desktop | grep "Exec"
 # TryExec=calamares
 # Exec=pkexec env DISPLAY=:0 XAUTHORITY=/home/artix/.Xauthority QT_QPA_PLATFORMTHEME=gtk2 calamares
 ###
 ### nano /usr/lib/calamares/modules/bootloader/main.py
 ### ===> function "def run()" : prepare_bootloader(fw_type) ---> # prepare_bootloader(fw_type)
 ### That's to avoid a GRUB error in the end of installation
 ###
 pkexec env DISPLAY=:0 XAUTHORITY=/home/artix/.Xauthority QT_QPA_PLATFORMTHEME=gtk2 calamares
 ###
 nano /mnt/etc/fstab
 # ^^^ Delete all uncommented lines
 fstabgen -U /mnt >> /mnt/etc/fstab
 # Do all sed's manually:
 sed -i "s/ordered/ordered,discard/g" /mnt/etc/fstab
 # Insert to the end of /mnt/etc/fstab (without leading #)
 # tmpfs	/tmp	tmpfs	nodev,nosuid,size=8G	0 0
 ###
 artools-chroot /mnt /bin/bash
 passwd
 pacman -Sy
 # cat /etc/locale.gen --- already set up
 # cat /etc/localtime --- already set up
 cat /etc/conf.d/hostname
 nano /etc/conf.d/hostname
 # hostname="4rt1x"
 # ^^^ Change to your desired hostname
 nano /etc/mkinitcpio.conf
 # base udev autodetect modconf block keyboard keymap lvm2 filesystems fsck ===>
 # base udev autodetect modconf block encrypt keyboard keymap lvm2 resume filesystems fsck
 ###
 pacman -Rc artix-grub-theme
 pacman -S lvm2 cryptsetup linux mkinitcpio
 ###
 mkinitcpio -p linux
 pacman -S grub
 pacman -S dosfstools freetype2 fuse2 gptfdisk libisoburn mtools os-prober
 pacman -S iw memtest86+ wpa_supplicant
 ### /etc/default/grub modifications using a template: need to change two UUID's
 ### root UUID:
 blkid -s UUID -o value /dev/sda2
 # e15bf4e3-117f-493d-ad23-db8d042df21e
 ### swap UUID --- REMEMBER from a previous step:
 ### 313d2746-396a-4b2f-9b6b-cf174fbee7cd
 nano /etc/default/grub
 ### Use a template from https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption#Configuration
 grub-install --target=i386-pc --boot-directory=/boot --bootloader-id=artix --recheck /dev/sda
 grub-mkconfig -o /boot/grub/grub.cfg
 ###
 pacman -S dosfstools freetype2 fuse2 gptfdisk libisoburn mtools os-prober
 pacman -S iw memtest86+ wpa_supplicant
 pacman -S device-mapper-openrc lvm2-openrc cryptsetup-openrc
 rc-update add device-mapper boot
 rc-update add lvm boot
 rc-update add dmcrypt boot
 rc-status sysinit | grep udev
 rc-update add dbus default
 rc-update add elogind boot
 pacman -S haveged haveged-openrc
 rc-update add haveged default
 pacman -S cronie cronie-openrc
 rc-update add cronie default
 ###
 pacman -S networkmanager networkmanager-openrc networkmanager-openvpn network-manager-applet
 rc-update add NetworkManager default
 pacman -S ntp ntp-openrc acpid acpid-openrc syslog-ng syslog-ng-openrc
 rc-update add ntpd default
 rc-update add acpid default
 rc-update add syslog-ng default
 ###
 pacman -S artools bash-completion lsof strace
 pacman -S wget htop mc zip samba unrar p7zip unzip
 pacman -S hdparm smartmontools hwinfo dmidecode
 pacman -S whois rsync nmap tcpdump inetutils net-tools ndisc6
 pacman -S yaourt
 exit
 ###
 umount -R /mnt
 swapoff -a
 sync
 reboot