Securing device: How to disable JTAG port?

Hello everyone,

I am currently working on a design where we have strict security requirements. To prevent unauthorized readback, tampering, or reverse-engineering, our goal is to completely disable or lock the JTAG interface for production units.

I initially attempted to achieve this by simply turning the JTAG pins (specifically TDO on PIN_Y9 and TDI on PIN_W10) into standard, unused I/O. However, I ran into the following roadblocks:

1. Pin Planner: These pins are greyed out/locked and cannot be edited or reassigned to user logic.
2. Device and Pin Options: I went to Assignments -> Device -> Device and Pin Options -> Dual-Purpose Pins hoping to change them to "Use as regular I/O", but the JTAG pins are not listed in this menu at all (only pins like Data[15..8] are present).

Device Information:

• FPGA Family: Cyclone V
• Exact Part Number: 5CSEBA5U23I7
• Quartus Version: Quartus Prime Standard Edition (15.1.0.185)

My questions:

1. What is the correct way to secure/disable JTAG? Since I cannot disable the pins in the GUI, what is the recommended Intel/Altera workflow to permanently lock or disable the JTAG port on this specific device family? Does this require blowing security fuses, enabling a specific "JTAG Secure Mode" via the .qsf, or relying strictly on Bitstream Encryption?
2. Why the restriction? From an architectural standpoint, why are JTAG pins treated differently than other configuration pins (like AS or PS config pins)? Why aren't they available in the Dual-Purpose pins menu so they can be easily disconnected from the TAP controller?

Any guidance or links to the relevant security documentation for this device family would be greatly appreciated.

Thank you!