diff --git a/overlord/fdestate/backend/seal.go b/overlord/fdestate/backend/seal.go
index 5d538ddd0ba..f5d7fe32421 100644
--- a/overlord/fdestate/backend/seal.go
+++ b/overlord/fdestate/backend/seal.go
@@ -146,6 +146,7 @@ func sealFallbackObjectKeys(key, saveKey secboot.BootstrappedContainer, pbc boot
 func sealKeyForBootChainsHook(key, saveKey secboot.BootstrappedContainer, params *boot.SealKeyForBootChainsParams) error {
 	sealingParams := secboot.SealKeysWithFDESetupHookParams{
 		AuxKeyFile: filepath.Join(boot.InstallHostFDESaveDir, "aux-key"),
+		PrimaryKey: params.PrimaryKey,
 	}
 
 	for _, runChain := range params.RunModeBootChains {
diff --git a/overlord/fdestate/backend/seal_test.go b/overlord/fdestate/backend/seal_test.go
index 305cd4f6dca..d5c14994840 100644
--- a/overlord/fdestate/backend/seal_test.go
+++ b/overlord/fdestate/backend/seal_test.go
@@ -436,6 +436,7 @@ func (s *sealSuite) testSealToModeenvWithFdeHookHappy(c *C, useTokens bool) {
 		c.Check(params.Model.Model(), Equals, model.Model())
 		c.Check(params.Model.Model(), Equals, model.Model())
 		c.Check(params.AuxKeyFile, Equals, filepath.Join(boot.InstallHostFDESaveDir, "aux-key"))
+		c.Check(params.PrimaryKey, DeepEquals, []byte{1, 2, 3, 4})
 		for _, skr := range skrs {
 			var expectedBootstrappedContainer secboot.BootstrappedContainer
 			switch skr.KeyName {
@@ -490,6 +491,7 @@ func (s *sealSuite) testSealToModeenvWithFdeHookHappy(c *C, useTokens bool) {
 		FactoryReset:           false,
 		InstallHostWritableDir: filepath.Join(boot.InstallUbuntuDataDir, "system-data"),
 		UseTokens:              useTokens,
+		PrimaryKey:             []byte{1, 2, 3, 4},
 	}
 	err := boot.SealKeyForBootChains(device.SealingMethodFDESetupHook, dataContainer, saveContainer, nil, params)
 	c.Assert(err, IsNil)
diff --git a/secboot/secboot.go b/secboot/secboot.go
index d7e232a9cbb..20ce3a8898e 100644
--- a/secboot/secboot.go
+++ b/secboot/secboot.go
@@ -149,6 +149,8 @@ type SealKeysWithFDESetupHookParams struct {
 	// The path to the aux key file (if empty the key will not be
 	// saved)
 	AuxKeyFile string
+	// The primary key to use, nil if needs to be generated
+	PrimaryKey []byte
 }
 
 // KeyDataLocation represents the possible places where key data
diff --git a/secboot/secboot_hooks.go b/secboot/secboot_hooks.go
index 8a1eac30ee1..72f83276494 100644
--- a/secboot/secboot_hooks.go
+++ b/secboot/secboot_hooks.go
@@ -71,6 +71,10 @@ func (h *hookKeyProtector) ProtectKey(rand io.Reader, cleartext, aad []byte) (ci
 
 func SealKeysWithFDESetupHook(runHook fde.RunSetupHookFunc, keys []SealKeyRequest, params *SealKeysWithFDESetupHookParams) error {
 	var primaryKey sb.PrimaryKey
+	if params.PrimaryKey != nil {
+		// FIXME: add unit test taking that primary key
+		primaryKey = params.PrimaryKey
+	}
 
 	for _, skr := range keys {
 		protector := &hookKeyProtector{