Although considered improbable, it’s not impossible.
Getting back closer to topic of using/switching to Argon2id here are some not so scientific times for various Argon2id parameters on a standard Librem 5, the times should be considered +/-0.5 seconds and also consider that not all boots are exactly equal. The times are the duration, during boot, between hitting enter on the passphrase screen to being presented with the OS lockscreen.
Default (baseline):
# cryptsetup luksConvertKey /dev/mmcblk0p2
PBKDF: argon2i Time cost: 4 Memory**: 360507 Threads: 4
Duration (Passphrase to lockscreen): ~18 seconds
** Memory from benchmarking can vary, I have seen this value anywhere from ~330M to ~370M
Now might be a good time to point out that if you set non-default parameters you have to pass those parameters to any command/action that operates on the key slots (e.g. luksChangeKey, reencrypt, etc,.) if you do not pass the additional parameters cryptsetup will assert defaults.
1G memory costs…
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 4 \
--pbkdf-memory $((1024*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 4 Memory: 1048576 Threads: 4
Duration (Passphrase to lockscreen): ~20 seconds
For the Librem 5, the boot time cost for the same level of passphrase protection as @irvinewade’s benchmarked desktop is ~3 seconds…
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 5 \
--pbkdf-memory $((1024*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 5 Memory: 1048576 Threads: 4
Duration (Passphrase to lockscreen): ~21 seconds
1.5G memory costs…
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 4 \
--pbkdf-memory $((3*512*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 4 Memory: 1518702 Threads: 4
Duration (Passphrase to lockscreen): ~22 seconds
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 5 \
--pbkdf-memory $((3*512*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 5 Memory: 1518702 Threads: 4
Duration (Passphrase to lockscreen): ~24 seconds
~1.5G is as much as you’ll get for the memory cost on a standard Librem 5 with 3G RAM. If you want to harden your passphrase protection further you can manipulate the LUKS header off-line from another machine with higher resources…
2G memory costs…
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 4 \
--pbkdf-memory $((2*1024*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 4 Memory: 2097152 Threads: 4
Duration (Passphrase to lockscreen): ~26 seconds
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 5 \
--pbkdf-memory $((2*1024*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 5 Memory: 2097152 Threads: 4
Duration (Passphrase to lockscreen): ~28 seconds
2.25G memory costs…
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 4 \
--pbkdf-memory $((9*256*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 4 Memory: 2359296 Threads: 4
Duration (Passphrase to lockscreen): ~26.5 seconds
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 5 \
--pbkdf-memory $((9*256*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 5 Memory: 2359296 Threads: 4
Duration (Passphrase to lockscreen): ~29 seconds
2.25G is about as high as you can go while still being able to operate on the key slot area, at 2.5G, the phone will boot fine but any attempts to operate on the key slots while the system is live/running will most likely fail due to running out of memory verifying the key slot passphrase.
2.5G memory costs…
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 4 \
--pbkdf-memory $((5*512*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 4 Memory: 2621440 Threads: 4
Duration (Passphrase to lockscreen): ~27.5 seconds
# cryptsetup luksConvertKey --pbkdf argon2id --pbkdf-force-iterations 5 \
--pbkdf-memory $((5*512*1024)) --pbkdf-parallel 4 /dev/mmcblk0p2
PBKDF: argon2id Time cost: 5 Memory: 2621440 Threads: 4
Duration (Passphrase to lockscreen): ~30 seconds