diff --git a/pkg/pillar/cmd/vaultmgr/vaultmgr.go b/pkg/pillar/cmd/vaultmgr/vaultmgr.go
index 12c1126572..7465b5fb49 100644
--- a/pkg/pillar/cmd/vaultmgr/vaultmgr.go
+++ b/pkg/pillar/cmd/vaultmgr/vaultmgr.go
@@ -512,13 +512,21 @@ func publishVaultKey(ctx *vaultMgrContext, vaultName string) error {
 		}
 		keyBytes, err := etpm.FetchSealedVaultKey(log)
 		if err != nil {
-			return fmt.Errorf("Failed to retrieve key from TPM %w", err)
+			return fmt.Errorf("failed to retrieve key from TPM %w", err)
 		}
 
 		encryptedKey, err := etpm.EncryptDecryptUsingTpm(keyBytes, true)
 		if err != nil {
-			// XXX should we still send with no key?
-			return fmt.Errorf("Failed to encrypt vault key %w", err)
+			// if we can't encrypt the vault key using TPM, possibly something
+			// is horribly wrong with TPM, this can bite us later for example
+			// when we try to upgrade the device, so better to fail early.
+			key := types.EncryptedVaultKeyFromDevice{
+				Name:     vaultName,
+				TpmError: err}
+			ctx.pubVaultKeyFromDevice.Publish(key.Key(), key)
+
+			// still return error, this will get logged
+			return fmt.Errorf("failed to encrypt vault key %w", err)
 		}
 
 		hash := sha256.New()
@@ -531,7 +539,7 @@ func publishVaultKey(ctx *vaultMgrContext, vaultName string) error {
 		}
 		encryptedVaultKey, err = proto.Marshal(keyData)
 		if err != nil {
-			return fmt.Errorf("Failed to Marshal keyData %w", err)
+			return fmt.Errorf("failed to Marshal keyData %w", err)
 		}
 	}
 
diff --git a/pkg/pillar/cmd/zedagent/attesttask.go b/pkg/pillar/cmd/zedagent/attesttask.go
index f5e2b7abc6..8265ee457b 100644
--- a/pkg/pillar/cmd/zedagent/attesttask.go
+++ b/pkg/pillar/cmd/zedagent/attesttask.go
@@ -791,6 +791,13 @@ func handleEncryptedKeyFromDeviceImpl(ctxArg interface{}, key string,
 	log.Noticef("handleEncryptedKeyFromDeviceImpl len %d",
 		len(vaultKey.EncryptedVaultKey))
 
+	if vaultKey.TpmError != nil {
+		ctx.maintenanceMode = true
+		ctx.maintModeReason = types.MaintenanceModeReasonTpmFailure
+		log.Errorf("setting maintenance mode due to TPM failurec: %v", vaultKey.TpmError)
+		return
+	}
+
 	if ctx.attestCtx == nil {
 		log.Fatalf("[ATTEST] Uninitialized access to attestCtx")
 	}
diff --git a/pkg/pillar/types/vaultmgrtypes.go b/pkg/pillar/types/vaultmgrtypes.go
index 229f691cda..1c2e6fbc63 100644
--- a/pkg/pillar/types/vaultmgrtypes.go
+++ b/pkg/pillar/types/vaultmgrtypes.go
@@ -86,6 +86,7 @@ type EncryptedVaultKeyFromDevice struct {
 	Name              string
 	EncryptedVaultKey []byte // empty if no TPM enabled
 	IsTpmEnabled      bool
+	TpmError          error // only set if there is unrecoverable error, for example TPM is kaputt.
 }
 
 // Key returns name of the vault corresponding to this object
diff --git a/pkg/pillar/types/zedagenttypes.go b/pkg/pillar/types/zedagenttypes.go
index efdc790271..c86069542b 100644
--- a/pkg/pillar/types/zedagenttypes.go
+++ b/pkg/pillar/types/zedagenttypes.go
@@ -395,6 +395,7 @@ const (
 	MaintenanceModeReasonUserRequested
 	MaintenanceModeReasonVaultLockedUp
 	MaintenanceModeReasonNoDiskSpace
+	MaintenanceModeReasonTpmFailure
 )
 
 // String returns the verbose equivalent of MaintenanceModeReason code
@@ -408,6 +409,8 @@ func (mmr MaintenanceModeReason) String() string {
 		return "MaintenanceModeReasonVaultLockedUp"
 	case MaintenanceModeReasonNoDiskSpace:
 		return "MaintenanceModeReasonNoDiskSpace"
+	case MaintenanceModeReasonTpmFailure:
+		return "MaintenanceModeReasonTpmFailure"
 	default:
 		return fmt.Sprintf("Unknown MaintenanceModeReason %d", mmr)
 	}