Thought I would share this with you guys. I have been using a method to strengthen or harden my LUKS headers. Many of the common debian based distro's create the volumes using only sha1 and other lower quality "math" components in the header. I am referring to FDE where an LVM on LUKS is created in simple "auto-mode" from those distro's during system install. Problem is you end up with a weaker than easily available strength. For awhile, I was doing custom expert installs just to capture the hardened headers. Now I can accept the simple generic auto install knowing I can "fix" the weakness by doing the following simple procedure. I have done this now many times without any hitches at all. Cryptsetup offers a process/command whereby you can fully re-encrypt your entire LUKS container with your data fully IN PLACE. Cryptsetup will write through your original header and then convert your data through the header's algo turning it into plain text. It then sends the plain text (in RAM) back through the new header algo and writes the encrypted data back in place on the drive. I do this process using a LIVE Disk (14.04.5) so all volumes are static on the sata. I will paste a working example. Of course you need to know all passwords during the prompts for them. In the example below the LUKS container is on sda3. # offline and CLOSED during process: Reencrypt and also change cipher and cipher mode sudo cryptsetup-reencrypt /dev/sda3 -c twofish-xts-plain64 -s 512 -h sha512 -i 9000 On a very average machine I literally just finished a 150 Gig system in about 55 minutes or so. Works great. Made backups of the new LUKS header and MBR so I am good to go. ps - I always noise fill my disks before install so this reencrypt process does the entire 150 Gig not simply the used space. You could think of this as another "pass" of wiping. In a sense it is.