I am able to decrypt the partition outside of a VM without the rescue "CD". Since I can also decrypt using the installer CD as rescue, this means the failure is specific to booting via grub and initrd.
This seems to indicate the installer created the encrypted partition properly but the boot environment it created is either handling the pass-phrase incorrectly (e.g., include \n) or is missing some other part of the machinery necessary. The most obvious candidate is from the error message
> Check that kernel supports aes-xts-plain64 cipher
I don't know how to check that, but looking in config-4.19.0-1-amd64 on the boot partition, I see some partial matches that might be relevant:
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_AES_TI is not set
CONFIG_CRYPTO_AES_X86_64=m
CONFIG_CRYPTO_AES_NI_INTEL=m
CONFIG_CRYPTO_XTS=m
I don't see anything that looks like plain.
The buster system created by the installer includes aesni-intel.ko, but the initrd does not.
Ross