Upgrade from Luks => Luks2 on Main Disk?

Hi,

I have setup my Work Laptop Years Ago with Fedora 28 and Luks. Now i have Fedora 37 an plan to upgrade to F38, but a College send me this Link: Captcha Check and said i should watch out before upgrading - Luks2 could kill my Disk Setup.

So i have checked my Disks with lsblk.

> sudo cryptsetup status luks-1c7293dc-5cff-4577-a14b-b2af64f58961
/dev/mapper/luks-1c7293dc-5cff-4577-a14b-b2af64f58961 is active and is in use.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: dm-crypt
  device:  /dev/nvme0n1p5
  sector size:  512
  offset:  4096 sectors
  size:    1997772800 sectors
  mode:    read/write
  flags:   discards 

This is the only Disk in my Laptop. How do i upgrade to Luks2 ?

 > sudo cryptsetup convert /dev/nvme0n1p5 --type luks2

...
Device "/dev/nvme0n1p5" cannot be converted because it is currently in use.

Your approach seems to be fine but you have to do this from a live system so that the disk isn’t in use.

Also, make sure you have a working backup. (at least of the LUKS header).

Does the Fedora 38 Upgrade change anything at LUKS?
Can i Upgrade Fedora first or should I upgrade LUKS first?

Distributions don’t touch existing LUKS containers during package updates or distribution upgrades. Only if you do a fresh install, you would get the latest defaults.

So, if you don’t reinstall, you’ll have to manually change the luks version and KDF.

Doesn’t matter.

cryptsetup in Fedora37 and 38 , see Overview - rpms/cryptsetup - src.fedoraproject.org

Just be aware that I don’t think that grub supports argon2id.

If your /boot is encrypted you may have issues booting.

references:
GNU GRUB - Bugs: bug #55093, Add LUKS2 support [Savannah]
grub.git - GNU GRUB

it can do Luks2 but only with PBKDF2 key derival, not Argon2id, see commit message.

Yes, the problem is, switching to luks2 but keeping PBKDF2 isn’t that beneficial.