When you encrypt volumes like your laptop's SSD or USB sticks on Linux there's a high chance you're using Linux Unified Key Setup (LUKS) in the background. To decrypt volumes, LUKS uses your secret passphrase and puts it through a function to derive the actual volume decryption key. The key derivation function is supposed to be expensive to compute so that brute-force attacks are hard to pull off.
There are three problems with the LUKS setup in practice
- The key derivation function gets benchmarked and tuned to your system to keep the decryption process short e.g. below a second because no one wants to wait too long
- Therefore, if you encrypt volumes with a weak device like a laptop, the key derivation function will we weak
- If you encrypted a device in the past and are still using its volume, you will not benefit from more recent key derivation function algorithms which have stronger guarantees against brute force attacks e.g. using GPUs
That's why you should re-key y