How to install with full system encryption and xchacha12,aes-adiantum-plain64?

[jdr]

Hi,

I've been using Debian for > 10 years on my NAS / Home Server and now also want to migrate 2 Notebooks from Xubuntu and 1 Workstation from Windows 10.

The first system for migration is my faithful travel companion: A 2013 Acer C710 Ex-Chromebook. For a mobile device like that, full system encryption is an absolute must have. Unfortunately, this system has a crappy Celeron CPU which is really slow and does not support AES-NI. The cipher xchacha12,aes-adiantum-plain64 is by far the fastest one (~260 MB/s decryption speed vs. << 100 MB/s for all others) and I have been using it without any major issues in the now to be replaced Xubuntu.

However, I have no idea how to install Debian the same way. Target partition scheme is:

• sda1 128 MiB VFAT EFI-SP
• sda2 256 MiB LUKS1 aes-xts-plain64 ext4 /boot
• sda3 64 GiB LUKS2 xchacha12,aes-adiantum-plain64 ext4 /
• sda4 rest LUKS2 xchacha12,aes-adiantum-plain64 ext4 /data (will be created after installation, not relevant here)

There is neither xchacha12 nor adiantum support in /proc/crypto and there are no loadable modules. In the live system, xchacha12,aes-adiantum-plain64 is supported, but I have no idea how to use the calamares installer to use the pre-created and mapped encrypted partitions instead of creating own ones.

The only idea I have is using the normal AES the installer provides and then running cryptsetup reencrypt from a live medium. But there must be an easier way.

What can I do?

[cds60601]

The Arch wiki is a great read for using dm-crypt however, there does not seem to be an easy way of doing that. I wanted a true full disk crypting some time ago and in the end, Due to a shrinking time-table, I just opted for the normal crypting off the normal install process. I never really cared much for the Calamares install. If you happen to discover a way, I would be interested in knowing this.