diff --git a/src/cloud-api-adaptor/podvm/files/etc/ocicrypt_config.json b/src/cloud-api-adaptor/podvm/files/etc/ocicrypt_config.json
new file mode 100644
index 000000000..ad171bf9d
--- /dev/null
+++ b/src/cloud-api-adaptor/podvm/files/etc/ocicrypt_config.json
@@ -0,0 +1,7 @@
+{
+	"key-providers": {
+		"attestation-agent": {
+			"ttrpc": "unix:///run/confidential-containers/cdh.sock"
+		}
+	}
+}
diff --git a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service
index 59c853ab3..95be6c5f8 100644
--- a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service
+++ b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service
@@ -5,6 +5,7 @@ Wants=process-user-data.service attestation-agent.service
 After=netns@podns.service process-user-data.service attestation-agent.service
 
 [Service]
+Environment=OCICRYPT_KEYPROVIDER_CONFIG=/etc/ocicrypt_config.json
 ExecStartPre=mkdir -p /run/kata-containers
 ExecStart=/usr/local/bin/kata-agent --config /run/peerpod/agent-config.toml
 ExecStartPre=-umount /sys/fs/cgroup/misc