If you installed your #ubuntu with full-disk #encryption a while, you may want to upgrade your #luks header version to enjoy improved #security and stronger password hashing algorithms.
You can't change LUKS header from a live system - you need to boot a live Ubuntu USB to be able to access the encrypted partition. First, create a bootable USB stick using a regular Ubuntu installer image.
- Just get the latest installer ISO available
- You need the full installer, the mini network installer won't work
- You may need to disable Secure Boot in BIOS temporarily to boot from USB
After booting run lsblk as root and you'll see a number of partitions on your built-in hard drive, usually sda. In default Ubuntu setup the encrypted one will be the largest and it usually will be sda3.
Check what version of LUKS header you have:
cryptsetup luksDump /dev/sda3
If it's Version: 2 just sit back and relax. If it's Version: 1 then you want to upgrade. But not without a backup:
cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file backup.dat
Now the actual conversion - you need to confirm, and then it's quick and easy:
cryptsetup convert /dev/sda3 --type luks2
Just make sure you've got Version: 2 afterwards:
cryptsetup luksDump /dev/sda3
Now, why not change your full-disk encryption passphrase using a stronger hash:
cryptsetupluksChangeKey /dev/sda3 --pbkdf argon2id
Again, check what we got - you should see PBKDF: argon2id:
cryptsetup luksDump /dev/sda3
Just double check if everything is fine (it will not mount anything):
cryptsetup open /dev/sda3 /mnt --test-passphrase
If yes, get rid of the previously created backup (even if it's just a ramdisk):
shred backup.dat
And reboot!
Thanks for preserving this, very useful!