Hey, cryptsetup uses luks, so the SHA-1 is hardcoded in sourcecode. You can't change the hash, with -h option. SHA-1 is maybe insecure because of an attack that can reduce the strength of SHA-1 from 2^160 to 2^52 http://eprint.iacr.org/2009/259.pdf. So you can do a possible exhausting key search in 7 days with a code breaking machine (copacobana). So you shouldn't use SHA-1, please add this patch, it uses the libgcrypt and override the hardcoded SHA-1. Now you can use the rest of hash algorithms. Reproducible: Always
Created attachment 195094 [details, diff] SHA-1 libgcrypt patch
at this point, these should go through upstream. we don't have people interested in maintaining these external patches.