diff --git a/interfaces/innerkits/storage_manager/native/storage_service_errno.h b/interfaces/innerkits/storage_manager/native/storage_service_errno.h
index 359a10797e781dfb120ffe3ca7a39a02f930244e..862523181bdcde7897a04ef384ff4d8ea2987c57 100644
--- a/interfaces/innerkits/storage_manager/native/storage_service_errno.h
+++ b/interfaces/innerkits/storage_manager/native/storage_service_errno.h
@@ -183,6 +183,7 @@ enum ErrNo {
     E_DELETE_USER_DIR_LSTAT = STORAGE_SERVICE_SYS_CAP_TAG + 751,
     E_DELETE_USER_DIR_NOEXIST = STORAGE_SERVICE_SYS_CAP_TAG + 752,
     E_DELETE_USER_DIR_NOTDIR = STORAGE_SERVICE_SYS_CAP_TAG + 753,
+    E_MOUNT_FBE = STORAGE_SERVICE_SYS_CAP_TAG + 754,
 
     // 空间统计 13601201 ~ 13601700
     E_BUNDLEMGR_ERROR = STORAGE_SERVICE_SYS_CAP_TAG + 1201,
diff --git a/services/storage_daemon/crypto/src/key_manager.cpp b/services/storage_daemon/crypto/src/key_manager.cpp
index 374b3e53b427cb2e5312c619a4f06dfc3179f9a4..80e6f1494e7e62f82f0ce91ac5469239215c4532 100644
--- a/services/storage_daemon/crypto/src/key_manager.cpp
+++ b/services/storage_daemon/crypto/src/key_manager.cpp
@@ -68,6 +68,11 @@ constexpr uint32_t FILE_ENCRY_ERROR_UECE_AUTH_STATUS_WRONG = 0xFBE30034;
 #ifdef EL5_FILEKEY_MANAGER
 constexpr int32_t WAIT_THREAD_TIMEOUT_MS = 500;
 #endif
+#ifdef RECOVER_KEY_TEE_ENVIRONMENT
+const std::string FILE_BASED_ENCRYPT_SRC_PATH = "/mnt/data_old/service/el1/public/sec_storage_data/fbe3";
+const std::string FILE_BASED_ENCRYPT_DST_PATH = "/data/service/el1/public/sec_storage_data/fbe3";
+constexpr int32_t DEFAULT_REPAIR_USERID = 10736;
+#endif
 
 static bool IsEncryption()
 {
@@ -1648,6 +1653,32 @@ int KeyManager::SetRecoverKey(const std::vector<uint8_t> &key)
     }
     return E_OK;
 }
+#ifdef RECOVER_KEY_TEE_ENVIRONMENT
+int32_t KeyManager::FileBasedEncryptfsMount()
+{
+    std::string srcPath = FILE_BASED_ENCRYPT_SRC_PATH;
+    std::string dstPath = FILE_BASED_ENCRYPT_DST_PATH;
+    int32_t ret = TEMP_FAILURE_RETRY(umount(dstPath.c_str()));
+    if (ret != E_OK && errno != ENOENT && errno != EINVAL) {
+        LOGE("failed to unmount file based encrypt fs, err %{public}d", errno);
+        std::string extraData = "srcPath=" + srcPath + ",dstPath=" + dstPath + ",kernelCode=" + std::to_string(errno);
+        StorageRadar::ReportUserManager("FileBasedEncryptfsMount", DEFAULT_REPAIR_USERID, E_MOUNT_FBE, extraData);
+        return E_MOUNT_FBE;
+    }
+    auto startTime = StorageService::StorageRadar::RecordCurrentTime();
+    ret = TEMP_FAILURE_RETRY(mount(srcPath.c_str(), dstPath.c_str(), nullptr, MS_BIND, nullptr));
+    if (ret != 0 && errno != EEXIST && errno != EBUSY) {
+        LOGE("failed to bind mount file based encrypt fs, err %{public}d", errno);
+        std::string extraData = "srcPath=" + srcPath + ",dstPath=" + dstPath + ",kernelCode=" + std::to_string(errno);
+        StorageRadar::ReportUserManager("FileBasedEncryptfsMount", DEFAULT_REPAIR_USERID, E_MOUNT_FBE, extraData);
+        return E_MOUNT_FBE;
+    }
+    auto delay = StorageService::StorageRadar::ReportDuration("MOUNT: BIND MOUNT",
+        startTime, StorageService::DELAY_TIME_THRESH_HIGH, DEFAULT_REPAIR_USERID);
+    LOGI("SD_DURATION: MOUNT: BIND MOUNT, delayTime = %{public}s", delay.c_str());
+    return E_OK;
+}
+#endif
 
 int32_t KeyManager::ResetSecretWithRecoveryKey(uint32_t userId, uint32_t rkType, const std::vector<uint8_t> &key)
 {
@@ -1694,6 +1725,11 @@ int32_t KeyManager::ResetSecretWithRecoveryKey(uint32_t userId, uint32_t rkType,
             return E_ELX_KEY_STORE_ERROR;
         }
     }
+    ret = FileBasedEncryptfsMount();
+    if (ret !=0) {
+        LOGE("mount file based encrypt fs failed!");
+        return ret;
+    }
 #endif
     return E_OK;
 }
diff --git a/services/storage_daemon/crypto/test/key_manager_test/key_manager_another_test.cpp b/services/storage_daemon/crypto/test/key_manager_test/key_manager_another_test.cpp
index 87b491d1eb14c7ce79cfd7e4e6b1c580e170a41f..73ef627709a351968398271ba7b0a2d0439b7bf2 100644
--- a/services/storage_daemon/crypto/test/key_manager_test/key_manager_another_test.cpp
+++ b/services/storage_daemon/crypto/test/key_manager_test/key_manager_another_test.cpp
@@ -151,7 +151,7 @@ HWTEST_F(KeyMgrAnotherTest, KeyManager_ResetSecretWithRecoveryKey_000, TestSize.
         .WillOnce(Return(FSCRYPT_V2)).WillOnce(Return(FSCRYPT_V2));
     EXPECT_CALL(*recoveryMgrMock_, ResetSecretWithRecoveryKey()).WillOnce(Return(E_OK));
     EXPECT_CALL(*baseKeyMock_, StoreKey(_, _)).Times(6).WillOnce(Return(E_OK));
-    EXPECT_EQ(KeyManager::GetInstance().ResetSecretWithRecoveryKey(userId, rkType, key), E_OK);
+    EXPECT_EQ(KeyManager::GetInstance().ResetSecretWithRecoveryKey(userId, rkType, key), E_MOUNT_FBE);
 
     OHOS::ForceRemoveDirectory(MAINTAIN_DEVICE_EL1_DIR);
     OHOS::ForceRemoveDirectory(globalUserEl1Path);
diff --git a/services/storage_daemon/include/crypto/key_manager.h b/services/storage_daemon/include/crypto/key_manager.h
index 0e01b016e0274588abee29d4e07654b2012af68c..f124ecb4a07b4de194807e22d0ad263bde54681e 100644
--- a/services/storage_daemon/include/crypto/key_manager.h
+++ b/services/storage_daemon/include/crypto/key_manager.h
@@ -184,6 +184,9 @@ private:
 
 #ifdef EL5_FILEKEY_MANAGER
     int GenerateAndLoadAppKeyInfo(uint32_t userId, const std::vector<std::pair<int, std::string>> &keyInfo);
+#endif
+#ifdef RECOVER_KEY_TEE_ENVIRONMENT
+    int32_t FileBasedEncryptfsMount();
 #endif
     using KeyMap = std::map<KeyType, std::shared_ptr<BaseKey>>;
     std::map<unsigned int, KeyMap> userElKeys_;
diff --git a/services/storage_daemon/mtp/test/BUILD.gn b/services/storage_daemon/mtp/test/BUILD.gn
index db61f8f08a6388a5102f082f22894599283f9fbd..a5599671848438d9f33218e8e510880529d6877c 100644
--- a/services/storage_daemon/mtp/test/BUILD.gn
+++ b/services/storage_daemon/mtp/test/BUILD.gn
@@ -64,6 +64,7 @@ ohos_unittest("mtp_device_manager_test") {
     "ipc:ipc_single",
     "samgr:samgr_proxy",
     "usb_manager:usbsrv_client",
+    "init:libbegetutil",
   ]
 }
 
diff --git a/services/storage_daemon/mtpfs/include/mtpfs_fuse.h b/services/storage_daemon/mtpfs/include/mtpfs_fuse.h
index fd7c2485432d5ad2fe7837915c12d3a841c845e4..2e8e72b6dc9147a2a0b43cd0d47a9a2814d01403 100644
--- a/services/storage_daemon/mtpfs/include/mtpfs_fuse.h
+++ b/services/storage_daemon/mtpfs/include/mtpfs_fuse.h
@@ -106,7 +106,7 @@ public:
     int Truncate(const char *path, off_t offset, struct fuse_file_info *fileInfo);
     void *Init(struct fuse_conn_info *conn, struct fuse_config *cfg);
     int Create(const char *path, mode_t mode, fuse_file_info *fileInfo);
-    int SetXAttr(const char *path, const char *in, const char *out);
+    int SetXAttr(const char *path, const char *in, const char *out = nullptr);
     int GetXAttr(const char *path, const char *in, char *out, size_t size);
     int GetThumbAttr(const std::string &path, struct stat *buf);
     void HandleRemove(uint32_t handleId);