diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr
index 7b84a539..99f194fa 100755
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@@ -43,7 +43,6 @@ tpm2_extend() {
 	tpm2 pcrextend "$index:sha256=$hash"
 	DEBUG "tpm2 pcread sha256:$index"
 	tpm2 pcrread "sha256:$index"
-	DEBUG "$(pcrs)"
 }
 
 tpm2_counter_read() {
@@ -229,6 +228,14 @@ tpm2_unseal() {
 
 	DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
 
+	# If we don't have the primary handle (TPM hasn't been reset), tpm2 will
+	# print nonsense error messages about an unexpected handle value.  We
+	# can't do anything without a primary handle.
+	if [ ! -f "/tmp/$PRIMARY_HANDLE_FILE" ]; then
+		DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal"
+		exit 1
+	fi
+
 	POLICY_SESSION=/tmp/unsealfile_policy.session
 	rm -f "$POLICY_SESSION"
 	tpm2 startauthsession -Q -g sha256 -c "/tmp/$PRIMARY_HANDLE_FILE" -S "$POLICY_SESSION" --policy-session