Indexof

Lite v2.0Ubuntu › Fix Ubuntu Core 24 FDE Recovery Key Prompt After Snap Refresh › Last update: About

Fix Ubuntu Core 24 FDE Recovery Key Prompt After Snap Refresh

Restoring Boot: Fixing FDE & TPM Breakage in Ubuntu Core 24 After Snap Refresh

Ubuntu Core 24 utilizes TPM-backed Full Disk Encryption (FDE) to secure the system by "sealing" encryption keys against the state of the device's firmware and kernel. A significant issue has been identified where performing a snap refresh on the pc or pc-kernel snaps causes a mismatch in the expected boot measurements. When the PCR (Platform Configuration Register) values change due to a kernel update or a bootloader asset shift, the TPM refuses to "unseal" the disk encryption key, causing the system to halt and demand a 32-digit FDE recovery key. This tutorial provides the necessary steps to recover access and re-seal the device to prevent recurring prompts.

Table of Content

Purpose

The primary purpose of this guide is to assist users in navigating the TPM Measurement Gap. In Ubuntu Core, the chain of trust relies on the TPM verifying that the kernel has not been tampered with. However, if snapd fails to correctly predict and update the new measurements (reseal) during an automatic update of the pc-kernel snap, the trust is broken.

  • Unlocking the Volume: Using the recovery key to manually decrypt the ubuntu-data and ubuntu-save partitions.
  • Restoring Auto-Unlock: Forcing snapd to recognize the new kernel state so it can re-store the secret back into the TPM for future boots.

Use Case

This tutorial is critical for users managing Ubuntu Core 24 devices who experience:

  • Sudden Boot Failure: The device worked fine until a background snap refresh occurred.
  • Lockout on Reboot: The screen displays a 🔐 Please enter the recovery key for disk... message.
  • Headless Maintenance: Accessing a remote device that is stuck in the pre-boot stage.

Step-by-Step

1. Locate Your Recovery Key

Before the break occurs (or if you have access to your documentation), you must have the recovery key.

  • If the device is still running, retrieve it now: sudo snap recovery --show-keys.
  • If you are already at the boot prompt, you must find the 32-digit key provided during the initial installation of the device.

2. Enter the Key at the Boot Prompt

When the device asks for the key:

  1. Type the 32-digit recovery key exactly as provided.
  2. Note that characters may not echo on the screen for security.
  3. Press Enter. If valid, the system will proceed to boot into "Run Mode."

3. Force Re-sealing of the TPM

Simply entering the key once does not always fix the "sealing" issue. You must ensure snapd completes the transition.

  • Once logged in, check the status of snap changes: snap changes.
  • Look for any "Done" but unapplied tasks related to pc-kernel.
  • Run a manual refresh to ensure the policy is updated: sudo snap refresh pc-kernel.
  • Verify encryption status: sudo snap recovery.

4. Handling "DA Lockout" Mode

If you enter the key incorrectly too many times, the TPM may enter Dictionary Attack (DA) Lockout.

  • Message: the TPM is in DA lockout mode.
  • Fix: You must wait for the lockout timer to expire (usually 30–60 minutes) or clear the TPM from the BIOS/UEFI settings, which will require a full re-installation.

Best Results

Component Refresh Risk Prevention Strategy
pc-kernel High Always backup recovery keys before manual refreshes.
pc (gadget) Medium Avoid BIOS/Firmware updates simultaneously with snap refreshes.
snapd Low Ensure snapd is at the latest version before kernel refreshes.

FAQ

Why didn't Ubuntu Core automatically re-seal the key?

This is often a timing issue or a bug in snapd where it cannot access the TPM's "Authorized Policy" due to a mismatch in the expected PCR 0-7 or PCR 11 values during the transition between the old and new kernel revisions.

Will I have to enter this key every time now?

No. Once you successfully boot and the system reaches the desktop/console, snapd should automatically re-seal the secret to the TPM. If it continues to ask, your TPM may be in a "read-only" state or the PCRs are fluctuating due to hardware instability.

Can I recover without the key?

No. The data is hardware-encrypted. Without the recovery key, the data on the ubuntu-data partition is mathematically inaccessible. Re-installing Ubuntu Core will wipe all existing data.

Disclaimer

TPM-backed Full Disk Encryption is a security feature that can lead to permanent data loss if recovery keys are not managed properly. This guide addresses a specific known issue with Ubuntu Core 24 and the pc-kernel snap as of March 2026. Always test updates on a non-production device first.

Tags: UbuntuCore, TPM, FullDiskEncryption, SnapRefresh

Profile: Resolve the issue where refreshing the pc or pc-kernel snap in Ubuntu Core 24 breaks TPM-backed Full Disk Encryption, forcing a recovery key prompt at boot. - Indexof

About

Resolve the issue where refreshing the pc or pc-kernel snap in Ubuntu Core 24 breaks TPM-backed Full Disk Encryption, forcing a recovery key prompt at boot. #ubuntu #fixubuntucore24fderecoverykeyprompt


Edited by: Sofia Haugaard, Aria Byrne, Noah Jensen & Wilton Perillo

Close [x]
Loading special offers...

Suggestion

Where to Find a 32-bit Ubuntu Touch ISO (2026 Guide)

#where-to-find-a-32-bit-ubuntu-touch-iso

Fixing WiFi Connectivity Issues in Ubuntu 24.04 LTS: A Complete Guide

#fixing-wifi-connectivity-issues-in-ubuntu-2404-lts

Fix HyperX Cloud Alpha Mic Not Working on Ubuntu: 3.5mm Jack Guide

#fix-hyperx-cloud-alpha-mic-not-working

Fix: GNOME Crash & Login Lockout After Adding Keyboard Layout on Ubuntu

#fix-gnome-crash-and-login-lockout

Fix: Kubuntu 26.04 LTS Daily Build Installation Errors & Crashes

#kubuntu-2604-lts-daily-build-installation-errors

Replacement Guide: btusb Driver Fix for TP-Link AX3000 on Ubuntu

#btusb-driver-fix-for-tp-link-ax3000