I have successfully installed Arch Linux with full disk encryption, however I omitted a passphrase in the hope that when starting up I won't be asked for a password. However it still asks me for a password where I simply hit enter.
First of all it's this a good idea?
I wanted to have something like bitlocker where the drive is encrypted with no decrypt password.
This is frustratingly tricky topic and I'm not sure I can give a definitive step-by-step guide on how to set it up. But given the question three years old with no good answers I'll try to give an overview.
No.
As others mentioned it's only practical use case would be making your data unreadable very quickly. But in terms of encryption uses, this is not effective at all. This is like fitting a huge high-tech vault door and then leaving the pass code on a sticky note stuck to the front. Anyone can walk in no matter how thick the door is.
Not a good idea.
Bitlocker does have a password, or rather it has a key. That key is stored on your motherboard's TPM. If you pop the hard drive out of the machine and put it in a different one, then you won't be able to read the data.
More importantly the TPM is "sealed" so that if the boot sequence is tampered with, it won't give out the encryption key. So an attacker cannot just mess with the unencrypted boot code on your machine to trick the TPM into giving out the key.
Firstly take the time to understand what is a TPM and what PCRs are and especially which things each PRC measures (protects).
You can configure the TPM to seal your key based on any selection of PCRs. It's your responsibility to know your own boot sequence and ensure you use right PCRs to prevent an attacker modifying your boot sequence.
⚠️ Warning ⚠️ If you don't properly protect your boot sequence with the right PCRs an attacker could simply reset your root password and then read all your data. You have been warned!
Secondly, once you are confident you know what you are doing, you can use systemd-cryptenroll to add a new key to your LUKS partition and embed that same key in your systems TPM.
Note that this might need to be done every time you install a new kernel, update grub, or update initramfs... that depends on which PCRs you use.
Thirdly you might be able to avoid consistently re-enrolling your key if you sign all your grub files and embed the public key in the grub stub in EFI. Theoretically this lets you include fewer PCRs and protect your grub configuration by using signatures instead.
No
If an attacker can unsolder the TPM from your motherboard, or otherwise attach probes, then they might be able to read the keys right off the copper wire while booting your system. I'm not saying that's easy, but be warned that TPMs aren't totally rock solid.
You can store your keys in a file separately. Eg: the least secure way to do this is have a USB drive on your keyring containing the keys as files and just plug it in when you plug in your laptop.
More securely, there are dedicated smart card devices (Eg YubiKey) that can securely store keys for you in such a way that they are never given out. The smart card itself decrypts something for you. This is an area I've not personally investigated much so cannot easily advise on it further.
You can create a volume with
cryptsetup luksFormat /dev/loop0 /dev/zero --keyfile-size 32
and run this during boot:
cryptsetup luksOpen /dev/loop0 cr_test --key-file /dev/zero --keyfile-size 32
As your volume has already been created you would have to add a key instead:
cryptsetup luksAddKey /dev/loop0 --key-file /dev/zero --keyfile-size 32 --iter-time 1
