I have installed my Fedora Workstation version 23 using native disk encryption.
Since it, I am upgrading it using dnf system-upgrade plugin.
Some time ago, I’ve discovered about SHA1 is now discontinued.
Reading the cryptsetup luksDump of my encrypted system, I can see it was installed using SHA1:
LUKS-encrypted volumes using sha1 hashes should still be accessible for the foreseeable future, so I don’t think you will have a problem if you upgrade to F32 (having a backup is always A Good Idea™).
You can also reencrypt your device, using more modern options, but for that you should absolutely make sure that you have everything backed up and you might need to resize your partitions to make room for potentially larger headers. See this for some more information.
It is certainly doable, but you’ll need to make sure that you are not changing its size. From your experiments, are the headers identical (in size)?
I would feel safer redoing the whole thing, but with the caveats mentioned here, i.e. first re-encryption with the same options but with the --reduce-device-size flag and once you’ve made the required space, proceed with re-encrypting with more modern options.
If all you care about is upgrading to F32, the whole dilemma is moot, I think.
Yes. It keep with same size, before and after: 2.068.480 bytes.
As I can see, new headers, have now 16.777.216 bytes. Certainly it will requires reallocating.
@alexpl I am already upgrading to newer versions using dnf system-upgrade plugin. I am already with Fedora 32 working finely. But as I’ve installed and encrypted my disk before SHA1 has been discontinued, I really want to change the hash-spec to SHA256 or SHA512. But, just it.
In this case, SHA512 had a better performance on benchmark, about 40% to 60% fastter.
You can change iteration time and used hash function in existing LUKS header with cryptsetup-reencrypt utility even without full reencryption of device (see --keep-key option).
So, I will give a try for it.
Do you think I have to change the hash using a LiveCD and with the encrypted volume unmounted ?
Or I can to change the hash even with the encrypted volume mounted and in use ??
Since it’s an old volume, you have to use the old cryptsetup-reencrypt tool which works on unmounted devices, so yes, boot off a live medium to do that.