When you encrypt volumes like your laptop's SSD or USB sticks on Linux there's a high chance you're using Linux Unified Key Setup (LUKS) in the background. To decrypt volumes, LUKS uses your secret passphrase and puts it through a function to derive the actual volume decryption key. The key derivation function is supposed to be expensive to compute so that brute-force attacks are hard to pull off.
There are three problems with the LUKS setup in practice
- The key derivation function gets benchmarked and tuned to your system to keep the decryption process short e.g. below a second because no one wants to wait too long
- Therefore, if you encrypt volumes with a weak device like a laptop, the key derivation function will we weak
- If you encrypted a device in the past and are still using its volume, you will not benefit from more recent key derivation function algorithms which have stronger guarantees against brute force attacks e.g. using GPUs
That's why you should re-key your devices every 5-10 years; as of 2022 with LUKS2 and the Argon2id key derivation function.
Unfortunately, user interfaces like Gnome Disks will not help here, so we need to drop to the terminal.
If your systems support it (e.g. Ubuntu 22.04), use LUKS2 and the Argon2id key derivation function that's coming with LUKS2. Then set Argon2id's parameters to use as much memory as you can spare and then tune the number of iterations to adjust the time it takes to decrypt.
Here is an example how to re-key an ecrypted USB stick used for backups to use Argon2id and take longer to decrypt on a laptop which is fine because I use it rarely and for cold storage.
# Check for encrypted LUKS volums; say the output shows it's at /dev/sdb1 lsblk --fs # See the current encryption and key derivation function settings sudo cryptsetup luksDump /dev/sdb1 # Change the key derivation function while keeping the actual encrypted data untouched sudo cryptsetup-reencrypt --keep-key --pbkdf argon2id --pbkdf-memory 1024000 --pbkdf-force-iterations 20 --pbkdf-parallel 4 /dev/sdb1