Security - Bazzite Security Configuration¶

Overview¶

Bazzite security features including LUKS disk encryption with TPM auto-unlock, and sudo password visibility settings.

Quick Reference¶

Command	Description
`ujust setup-luks-tpm-unlock`	Enable TPM auto-unlock for LUKS
`ujust remove-luks-tpm-unlock`	Remove TPM auto-unlock
`ujust toggle-password-feedback`	Toggle sudo asterisk feedback

LUKS TPM Unlock¶

Setup TPM Auto-Unlock¶

# Enable automatic LUKS unlock via TPM
ujust setup-luks-tpm-unlock

What it does: - Binds LUKS encryption to TPM 2.0 - System unlocks automatically at boot - No password prompt needed

Requirements: - TPM 2.0 chip - LUKS-encrypted root partition - Secure Boot recommended

Process: 1. Verifies TPM availability 2. Creates TPM binding 3. Updates initramfs 4. Tests unlock

Remove TPM Unlock¶

# Remove TPM auto-unlock
ujust remove-luks-tpm-unlock

Returns to password-based unlock at boot.

Use when: - Selling/giving away machine - Security concerns - TPM issues

Sudo Password Feedback¶

Toggle Asterisks¶

# Toggle sudo password asterisk feedback
ujust toggle-password-feedback

With feedback:

[sudo] password for user: ****

Without feedback (default):

[sudo] password for user:

Security note: Asterisks reveal password length. Default (no feedback) is more secure.

Common Workflows¶

Secure Boot Setup¶

# 1. Enroll secure boot key (for NVIDIA)
ujust enroll-secure-boot-key

# 2. Setup TPM unlock
ujust setup-luks-tpm-unlock

# Reboot to test
systemctl reboot

Disable Before Selling¶

# Remove TPM binding
ujust remove-luks-tpm-unlock

# Clear TPM (in BIOS/UEFI)
# Factory reset recommended

TPM Status¶

Check TPM Availability¶

# TPM version and status
tpm2_getcap properties-fixed | head -20

# TPM PCR values
tpm2_pcrread

Check LUKS Binding¶

# List LUKS tokens
cryptsetup luksDump /dev/<device> | grep Token

# Check systemd-cryptenroll
systemd-cryptenroll --tpm2-device=list

Troubleshooting¶

TPM Unlock Fails¶

Common causes: - BIOS update changed PCR values - Secure Boot state changed - Hardware change detected

Fix:

# Re-enroll TPM
ujust remove-luks-tpm-unlock
ujust setup-luks-tpm-unlock

TPM Not Found¶

Check:

# Verify TPM device
ls /dev/tpm*

# TPM status
tpm2_getcap properties-fixed

Enable in BIOS: - Find TPM/Security settings - Enable TPM 2.0

After BIOS Update¶

TPM PCR values change after BIOS updates, breaking auto-unlock.

Fix:

# Boot with password
# Then re-enroll
ujust remove-luks-tpm-unlock
ujust setup-luks-tpm-unlock

Sudo Password Not Showing¶

If you want asterisks:

ujust toggle-password-feedback

Manual fix:

# Edit sudoers
sudo visudo

# Add line:
# Defaults pwfeedback

Security Best Practices¶

For TPM Unlock¶

Enable Secure Boot - Prevents boot tampering
Set BIOS password - Prevents Secure Boot changes
Keep backup passphrase - For recovery
Re-enroll after BIOS updates

For General Security¶

Use strong passwords
Enable automatic updates (ujust toggle-updates)
Consider password feedback OFF (hides length)
Check SSH settings (ujust config sshd status)

Cross-References¶

bazzite:boot - Secure boot key enrollment
bazzite:storage - LUKS volume management
bazzite-ai:configure - SSH and service security

When to Use This Skill

Use when the user asks about: - "LUKS unlock", "disk encryption", "TPM unlock" - "auto unlock", "boot without password", "encrypted boot" - "remove TPM", "disable auto unlock" - "sudo password", "asterisks", "password feedback" - "security settings", "secure boot", "TPM"