security

# Security - Bazzite Security Configuration

## Overview

Bazzite security features including LUKS disk encryption with TPM auto-unlock, and sudo password visibility settings.

## Quick Reference

| Command | Description |
|---------|-------------|
| `ujust setup-luks-tpm-unlock` | Enable TPM auto-unlock for LUKS |
| `ujust remove-luks-tpm-unlock` | Remove TPM auto-unlock |
| `ujust toggle-password-feedback` | Toggle sudo asterisk feedback |

## LUKS TPM Unlock

### Setup TPM Auto-Unlock

```bash
# Enable automatic LUKS unlock via TPM
ujust setup-luks-tpm-unlock
```

**What it does:**
- Binds LUKS encryption to TPM 2.0
- System unlocks automatically at boot
- No password prompt needed

**Requirements:**
- TPM 2.0 chip
- LUKS-encrypted root partition
- Secure Boot recommended

**Process:**
1. Verifies TPM availability
2. Creates TPM binding
3. Updates initramfs
4. Tests unlock

### Remove TPM Unlock

```bash
# Remove TPM auto-unlock
ujust remove-luks-tpm-unlock
```

Returns to password-based unlock at boot.

**Use when:**
- Selling/giving away machine
- Security concerns
- TPM issues

## Sudo Password Feedback

### Toggle Asterisks

```bash
# Toggle sudo password asterisk feedback
ujust toggle-password-feedback
```

**With feedback:**
```
[sudo] password for user: ****
```

**Without feedback (default):**
```
[sudo] password for user:
```

**Security note:** Asterisks reveal password length. Default (no feedback) is more secure.

## Common Workflows

### Secure Boot Setup

```bash
# 1. Enroll secure boot key (for NVIDIA)
ujust enroll-secure-boot-key

# 2. Setup TPM unlock
ujust setup-luks-tpm-unlock

# Reboot to test
systemctl reboot
```

### Disable Before Selling

```bash
# Remove TPM binding
ujust remove-luks-tpm-unlock

# Clear TPM (in BIOS/UEFI)
# Factory reset recommended
```

## TPM Status

### Check TPM Availability

```bash
# TPM version and status
tpm2_getcap properties-fixed | head -20

# TPM PCR values
tpm2_pcrread
```

### Check LUKS Binding

```bash
# L