cryptsetup-reencrypt

cryptsetup reencrypt [options] <device>

--batch-mode, -y
    Suppress prompts; use defaults or fail.

--cipher, -c <name>
    Set new cipher (<mode>[-<hash>]).

--debug
    Show debug output.

--hash, -h <hash>
    Hash algorithm (e.g., sha256).

--help, -?
    Show help.

--iter-time, -i <ms>
    PBKDF2 iteration time in ms.

--key-file, --keyfile, -d <file>
    Read passphrase from file.

--key-file-new, --new <file>
    New passphrase from file.

--key-slot, -S <slot>
    Target key slot number.

--key-size, -s <bits>
    New key size in bits.

--master-key-file <file>
    Use master key from file.

--pbkdf <pbkdf>
    PBKDF algorithm (pbkdf2, argon2i).

--pbkdf-force-iterations <n>
    Force PBKDF iterations.

--progress-interval <ms>
    Progress report interval.

--quiet, -q
    Suppress warnings.

--reduce-device-size <size>[b|k|m|g]
    Shrink encrypted device.

--sector-size, -s <size>
    Sector size (LUKS2 only).

--tries, -t <num>
    Max passphrase attempts.

--type LUKS1|LUKS2
    LUKS container type.

--use-urandom
    Use /dev/urandom (deprecated).

--use-random
    Use /dev/random (default).

--verbose, -v
    Verbose mode.

--verify-passphrase
    Verify passphrase twice.

--version
    Print version.

The cryptsetup reencrypt command, part of the cryptsetup suite, enables re-encryption of existing LUKS (Linux Unified Key Setup) partitions or block devices. It supports offline re-encryption (device closed) and online re-encryption (device remains mounted and usable for most operations).

This tool is essential for updating encryption parameters without data loss, such as changing ciphers (e.g., from AES-CBC to AES-XTS), increasing key sizes (e.g., 128-bit to 512-bit), tuning PBKDF2 iteration counts for better passphrase security, resizing devices downward, or migrating between LUKS1 and LUKS2 formats.

Re-encryption proceeds sequentially block-by-block using the dm-crypt kernel module, with progress tracking and resumability after interruptions. It prompts for passphrases unless keyfiles are provided. Online mode minimizes downtime but requires the device to be active.

Key benefits: Enhances security post-deployment; supports key slot changes and header backups. However, it's I/O intensive and risky—power loss or crashes can corrupt data.

Ideal for servers or laptops needing cipher upgrades or compliance adjustments. Requires root privileges and cryptsetup >= 1.6.

Backup data first: interruptions risk total loss. Online mode unsafe for resize/full rekey. Requires free space equal to device size. Not for active filesystems without care. Root only; test on non-critical devices.

Online (--no-early-exit implied) keeps device open; ideal for key changes. Offline for full cipher/resize.

cryptsetup reencrypt /dev/sda1 --key-size 512
Upgrades key size while device active.

cryptsetup reencrypt /dev/sda1 --reduce-device-size 100G
Shrinks to 100GB (offline only).

Introduced in cryptsetup 1.6.0 (2013) for basic offline rekey. Enhanced in 1.7+ with online support, LUKS2 in 2.0 (2017), PBKDF options in 2.1+. Actively maintained by Milan Broz et al. for dm-crypt ecosystem.

cryptsetup(8), cryptsetup-luksFormat(8), cryptsetup-luksDump(8), dmsetup(8)