diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
index f06c5483..674aab4e 100755
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@@ -57,6 +57,9 @@ tpmr extend -ix 4 -ic generic ||
 # Check to continue
 if [ "$unseal_failed" = "y" ]; then
 	confirm_boot="n"
+	if diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then
+		echo "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."
+	fi
 	read \
 		-n 1 \
 		-p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \
diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key
index 3f18c435..6f5cbd9f 100755
--- a/initrd/bin/kexec-unseal-key
+++ b/initrd/bin/kexec-unseal-key
@@ -40,6 +40,14 @@ for tries in 1 2 3; do
 
 	DEBUG $(pcrs)
 	warn "Unable to unseal disk encryption key"
+	if [ -e /boot/kexec_lukshdr_hash.txt -a -e /tmp/luksDump.txt ]; then
+		if ! diff /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then
+			warn "Encrypted LUKS(es) container(s) headers changed since they were measured and sealed in TPM for Disk Unlock key. You might want to investigate."
+		fi
+	else
+		warn "No encrypted LUKS container(s) headers were found/comparable under /boot/kexec_lukshdr_hash.txt"
+		warn "You might need to setup a new boot default and Disk Unlock Key from Options->Boot Options->Show OS boot menu."
+	fi
 done
 
 die "Retry count exceeded..."