As a supplement to the answer from @frostschutz about cryptsetup reencrypt:

cryptsetup reencrypt is a secure way to renew a LUKS container without having to move the data contained within.

This saves an enormous amount of time and space.

The data does not need to be extracted, the container does not need to be recreated, and the data does not need to be copied back.

It is used to, add, remove, change passwords or keyfiles.

To upgrade older LUKS containers to more modern, secure algorithms.

Or to change the size of an encrypted container if the underlying partition has been enlarged.

• Can LUKS2 root partition encryption with cryptsetup be done on an already fully running OS?

ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS ACTION ON LUKS DEVICE.

Cryptsetup reencrypt action can be used to change reencryption parameters, which otherwise require full on-disk data change (re-encryption). The reencrypt action reencrypts data on the LUKS device in-place.

You can regenerate volume key (the real key used in on-disk encryption unlocked by passphrase), cipher, cipher mode or encryption sector size (LUKS2 only).

• cryptsetup-reencrypt - reencrypt LUKS encrypted volumes in-place

More sources:

• cryptsetup-reencrypt(8) — Linux manual page

• Encrypt existing partitions with LUKS2 on Ubuntu 20.04

As a supplement to the answer from @frostschutz about cryptsetup reencrypt:

cryptsetup reencrypt

cryptsetup reencrypt is a secure way to renew a LUKS container without having to move the data contained within.

This saves an enormous amount of time and space.

The data does not need to be extracted, the container does not need to be recreated, and the data does not need to be copied back.

It is used to, add, remove, change passwords or keyfiles.

To upgrade older LUKS containers to more modern, secure algorithms.

Or to change the size of an encrypted container if the underlying partition has been enlarged.

• Can LUKS2 root partition encryption with cryptsetup be done on an already fully running OS?

ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS ACTION ON LUKS DEVICE.

Cryptsetup reencrypt action can be used to change reencryption parameters, which otherwise require full on-disk data change (re-encryption). The reencrypt action reencrypts data on the LUKS device in-place.

You can regenerate volume key (the real key used in on-disk encryption unlocked by passphrase), cipher, cipher mode or encryption sector size (LUKS2 only).

• cryptsetup-reencrypt - reencrypt LUKS encrypted volumes in-place

More sources:

• cryptsetup-reencrypt(8) — Linux manual page

• Encrypt existing partitions with LUKS2 on Ubuntu 20.04

luksHeaderBackup

For now and for the future, also check out luksHeaderBackup. First, secure the header using luksHeaderBackup.

The header backup itself doesn't solve the problem, the sector size remains 4096.

But it allows you to re-encrypt risk free, You can safely test things like --reduce-device-size because a corrupted header can be quickly restored.

And if the reencrypt attempt fails, you can restore the header and continue opening it with the loop device as before.

• cryptsetup-luksHeaderBackup(8) — Linux manual page

• How to backup and restore LUKS header on Linux

• script to automate luksHeaderBackup for multiple partitions

• How to rescue an encrypted LUKS partition that was partially modified by a Windows tool?

• LUKS header accidentally destroyed

• LUKS: Wrong Password or Corrupt Headers?