diff --git a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
index f3ad157..b536502 100644
--- a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
@@ -79,8 +79,8 @@ readonly -f preallocate
 #   42: on failure
 #######################################
 create_attestation() {
-  declare rootfs_file="$1"
-  declare rootfs_attestation="$2"
+  declare rootfs_file="${1}"
+  declare rootfs_attestation="${2}"
   declare rootfs_hash=""
   declare rootfs_size=""
 
@@ -105,9 +105,10 @@ create_attestation() {
 # CISS.debian.live.builder Master ${VAR_VERSION}
 # Attestation file for filesystem.squashfs Version 1.0.0
 # Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
-# Bytes    : Final filesystem.squashfs ${VAR_ROOTFS_SIZE}
-${rootfs_hash}  ciss-rootfs.squashfs
+# Bytes    : Final filesystem.squashfs ${rootfs_size}
+${rootfs_hash}  filesystem.squashfs
 EOF
+
   chmod 0444 "${rootfs_attestation}"
 
   if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
@@ -135,8 +136,6 @@ EOF
 
   fi
 
-  printf "\e[92m[INFO] Rootfs attestation manifest created and verified: [%s]. \e[0m\n" "${rootfs_attestation}"
-
   return 0
 }
 ### Prevents accidental 'unset -f'.
@@ -150,6 +149,9 @@ declare    DM_LAB="crypt_liveiso"
 declare    DEVMAP="/dev/mapper/${DM_LAB}"
 declare    LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
 declare    KEYFD=""
+# Keep Argon2 keyslot memory and parallel costs bounded for later initramfs unlocks on smaller systems.
+declare -i LUKS_PBKDF_MEMORY_KIB=262144
+declare -i LUKS_PBKDF_PARALLEL=1
 # shellcheck disable=SC2155
 declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
 
@@ -190,6 +192,8 @@ if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
     --luks2-keyslots-size 16777216 \
     --luks2-metadata-size 4194304 \
     --pbkdf argon2id \
+    --pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
+    --pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
     --sector-size 4096 \
     --type luks2 \
     --use-random \
@@ -209,6 +213,8 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
     --luks2-keyslots-size 16777216 \
     --luks2-metadata-size 4194304 \
     --pbkdf argon2id \
+    --pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
+    --pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
     --sector-size 4096 \
     --type luks2 \
     --use-random \
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index b238906..ba25a9c 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -49,15 +49,15 @@ private Secure Boot key names are detected in those paths before live-build chec
 
 # 4. Primitives & Parameters
 
-| Component    | Primitive / Parameter                                     | Purpose                                                |
-|--------------|-----------------------------------------------------------|--------------------------------------------------------|
-| LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS)                        |
-| dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity, authenticity |
-| PBKDF        | `argon2id`, `--iter-time 1000` ms                         | Key derivation, hardware-agnostic                      |
-| Signatures   | Ed25519 or RSA-4096 (FPR pinned)                          | Public verifiability, non-repudiation                  |
-| Verification | `gpgv --no-default-keyring`                               | No agent dependency in initramfs                       |
-| Hash lists   | `sha512sum` format                                        | Deterministic content verification                     |
-| Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                    | Minimal attack surface, remote unlock                  |
+| Component    | Primitive / Parameter                                                            | Purpose                                                |
+|--------------|----------------------------------------------------------------------------------|--------------------------------------------------------|
+| LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096`                        | Confidentiality (2×256-bit XTS)                        |
+| dm-integrity | `hmac-sha512` (keyed), journal                                                   | Adversary-resistant per-sector integrity, authenticity |
+| PBKDF        | `argon2id`, `--iter-time 1000` ms, `--pbkdf-memory 262144`, `--pbkdf-parallel 1` | Bounded key derivation cost for initramfs unlock       |
+| Signatures   | Ed25519 or RSA-4096 (FPR pinned)                                                 | Public verifiability, non-repudiation                  |
+| Verification | `gpgv --no-default-keyring`                                                      | No agent dependency in initramfs                       |
+| Hash lists   | `sha512sum` format                                                               | Deterministic content verification                     |
+| Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                                           | Minimal attack surface, remote unlock                  |
 
 # 5. Diagram: CISS Live ISO Boot Flow
 ```mermaid
@@ -165,6 +165,8 @@ cryptsetup luksFormat \
   --luks2-keyslots-size 16777216 \
   --luks2-metadata-size 4194304 \
   --pbkdf argon2id \
+  --pbkdf-memory 262144 \
+  --pbkdf-parallel 1 \
   --sector-size 4096 \
   --type luks2 \
   --use-random \