Change passphrase should also reencrypt to change the LUKS volume key
Users might change a persistence passphrase after suspecting their previous passphrase was compromised. Their expectation is their data would be protected by a new passphrase. But due to wear leveling the old keyslot may remain potentially for a very long time, allowing a compromised passphrase to get the volume key to read the entire persistent storage.
If crypt-setup reencrypt were called after a passphrase change the old password would not be able to read any data written since the passphrase change as well as data before the passphrase change that did not remain in internal pools.
Steps to reproduce:
create a persistent storage
cryptsetup luksDump --dump-master-key /dev/sda2
change passphrase
cryptsetup luksDump --dump-master-key /dev/sda2
MK dump remains unchanged.
Since passphrases don't need rotation unless suspected compromised, the MK should rotate when the passphrase is changed to protect against the possibility of a remnant compromised keyslot.
See 5.19 of cryptsetup FAQ https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md#5-security-aspects