How to install with full system encryption and xchacha12,aes-adiantum-plain64?

Hi,

I've been using Debian for > 10 years on my NAS / Home Server and now also want to migrate 2 Notebooks from Xubuntu and 1 Workstation from Windows 10.

The first system for migration is my faithful travel companion: A 2013 Acer C710 Ex-Chromebook. For a mobile device like that, full system encryption is an absolute must have. Unfortunately, this system has a crappy Celeron CPU which is really slow and does not support AES-NI. The cipher xchacha12,aes-adiantum-plain64 is by far the fastest one (~260 MB/s decryption speed vs. << 100 MB/s for all others) and I have been using it without any major issues in the now to be replaced Xubuntu.

However, I have no idea how to install Debian the same way. Target partition scheme is:

• sda1 128 MiB VFAT EFI-SP
• sda2 256 MiB LUKS1 aes-xts-plain64 ext4 /boot
• sda3 64 GiB LUKS2 xchacha12,aes-adiantum-plain64 ext4 /
• sda4 rest LUKS2 xchacha12,aes-adiantum-plain64 ext4 /data (will be created after installation, not relevant here)

There is neither xchacha12 nor adiantum support in /proc/crypto and there are no loadable modules. In the live system, xchacha12,aes-adiantum-plain64 is supported, but I have no idea how to use the calamares installer to use the pre-created and mapped encrypted partitions instead of creating own ones.

The only idea I have is using the normal AES the installer provides and then running cryptsetup reencrypt from a live medium. But there must be an easier way.

What can I do?

Statistics: Posted by jdr — 2024-04-11 06:34 — Replies 1 — Views 41

---