The libgcrypt library in CentOS 6 has a flaw in the Whirlpool algorithm implementation.
The bug is fixed in the later version of the library included in CentOS 7. LUKS containers
created by using the libgcrypt present in CentOS 6 cannot be unlocked by using the one
present in CentOS 7 unless the GCRYPT_WHIRLPOOL_BUG environmental variable is set.

For optional LUKS containers (not involved in the system boot) it is not a critical
obstacle, and administrators can unlock such containers by using the environmental variable above.
The situation is different when you deal with mandatory volumes: 
In case the preupgrade script detects the Whirlpool hash in one of the volumes
involved in the system boot (any volume listed in the /etc/crypttab configuration file),
it is considered to be a blocking event for the in-place upgrade to continue. We strongly
recommend to rehash the LUKS header by using the cryptsetup-reencrypt package added to
CentOS 6.6 and later versions.

A command for rehashing the LUKS header without changing the master key:

# cryptsetup-reencrypt -h sha1 --keep-key <path_to_luks_device>

Supply a device identified to be using the Whirlpool hash instead of the
pattern: <path_to_luks_device>.

The SHA-1 function is a recommended hash function for LUKS headers in CentOS 6 and also in CentOS 7.

We also recommend to rehash all optional volumes.
