Changing master keys and re-enciphering secure keys
The information presented in this topic is valid for both CCA and EP11 master keys. How to set an EP11 master key is outlined in the EP11 documentation: Exploiting Enterprise PKCS #11 using openCryptoki. How to change a CCA master key is documented in How to set an AES master key.
For security and ease of use, always store your secure keys in a secure key repository. To manage a required change of the master key, you can then use the zkey utility to perform the required re-encryption.
If the secure keys are stored as volume keys in the LUKS2 header of your volume, you can use the zkey-cryptsetup utility to perform the re-encryption.
Also, you might have saved your secure key in a file. In this case, too, you can use the zkey utility to perform the re-encryption.