--snip--
What version of Debian is that screenshot from? I remember watching tutorials, and in no point in time they asked you about any specifics, or I saw any possibility to modify the specification details for the encryption procedure. I only remember two passwords. One that was for the root admin setting, and another for the actual encryption and it was set in a confusing way where you didn't really know what the passwords were doing, so hopefully they changed this, since im talking some years ago. Im just going to get Debian 12 iso and try for myself.
That StackExchange answer mentioned it's based on Debian buster, which mean Debian version 10 (ten). But i can confirm such option also exist on Debian 12 installer, although it's still very easy to miss such manual configuration.
Im still asking what settings would be good to run a node at tho, since I want a security but also not blow up the drive from overdoing the encryption and then have it do heavy lifting with the node syncing process. If anyone is an expert in this field here perhaps you could recommend some better non-default settings?
I don't have good answer to your questions. But there are few things i can mention and suggest.
1. Run this command to know encrypt/decrypt speed on your device.
$ sudo cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 2421653 iterations per second for 256-bit key
PBKDF2-sha256 4675924 iterations per second for 256-bit key
PBKDF2-sha512 2118335 iterations per second for 256-bit key
PBKDF2-ripemd160 1012138 iterations per second for 256-bit key
PBKDF2-whirlpool 823058 iterations per second for 256-bit key
argon2i 7 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id 8 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 1306.0 MiB/s 3412.6 MiB/s
serpent-cbc 128b 132.7 MiB/s 908.4 MiB/s
twofish-cbc 128b 266.3 MiB/s 470.2 MiB/s
aes-cbc 256b 1021.8 MiB/s 3320.1 MiB/s
serpent-cbc 256b 137.9 MiB/s 910.7 MiB/s
twofish-cbc 256b 272.5 MiB/s 470.3 MiB/s
aes-xts 256b 3389.5 MiB/s 3343.4 MiB/s
serpent-xts 256b 817.8 MiB/s 810.2 MiB/s
twofish-xts 256b 453.8 MiB/s 453.9 MiB/s
aes-xts 512b 3012.4 MiB/s 3017.8 MiB/s
serpent-xts 512b 829.7 MiB/s 815.1 MiB/s
twofish-xts 512b 453.4 MiB/s 456.6 MiB/s
2. Use longer password, to make brute-force become unpractical.
3. Read this very long FAQ,
https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions.
But just like other people[1-2], i believe the default configuration is secure enough.
[1]
https://security.stackexchange.com/a/131105[2]
https://security.stackexchange.com/a/39309What about partitions? Some people add swap partitions and some don't. There's also the discussion of if the boot partition should be encrypted too. I believe VeraCrypt encrypted the boot partition too when you did FDE, but default settings on these Linux wizards I believe they don't encrypt the boot partition. That just would be to make sure all partitions are encrypted. On the screenshot, it talks about a partition, but I assume since it says sda and not sda1, or sda2 etc.. that means it's referring to the entire disk that is being encrypted?
As far as the speeds, they seem decent enough I guess, aes is the clear winner. I assume 256b key is enough and 512b isn't needed.