The security of any encryption system that's unlocked by the user's login passphrase, including fscrypt's login protectors, is limited by the strength of the password hashing in /etc/shadow. /etc/shadow by default uses SHA-512 with 5000 rounds, which is much weaker than fscrypt's Argon2 passphrase hashing. For fscrypt, we should provide appropriate guidance in the documentation and in the interactive output when creating a login protector. We should recommend that users should either increase the number of rounds in /etc/shadow, use a strong login passphrase, or use a custom passphrase protector instead.

Longer term, it would be nice if /etc/shadow would use a more modern passphrase hashing function, such as Argon2. That apparently would require making the crypt() function in glibc support it.