diff --git a/Cargo.lock b/Cargo.lock
index e1044081a..7d7d23d9d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2887,7 +2887,6 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "async-trait",
- "attestation_agent",
  "base64 0.21.5",
  "bincode",
  "chrono",
diff --git a/confidential-data-hub/kms/Cargo.toml b/confidential-data-hub/kms/Cargo.toml
index 46e386414..de1c12079 100644
--- a/confidential-data-hub/kms/Cargo.toml
+++ b/confidential-data-hub/kms/Cargo.toml
@@ -8,7 +8,6 @@ edition = "2021"
 [dependencies]
 anyhow.workspace = true
 async-trait.workspace = true
-attestation_agent = { path = "../../attestation-agent/lib", default-features = false }
 base64.workspace = true
 bincode = { workspace = true, optional = true }
 chrono = { workspace = true, optional = true }
diff --git a/confidential-data-hub/kms/src/error.rs b/confidential-data-hub/kms/src/error.rs
index adbb9e0d3..980d352bb 100644
--- a/confidential-data-hub/kms/src/error.rs
+++ b/confidential-data-hub/kms/src/error.rs
@@ -3,7 +3,6 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-use attestation_agent::aa_kbc_params;
 use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, Error>;
@@ -23,7 +22,4 @@ pub enum Error {
 
     #[error("Unsupported provider: {0}")]
     UnsupportedProvider(String),
-
-    #[error("aa_kbc_params error")]
-    AaKbcParamsError(#[from] aa_kbc_params::ParamError),
 }
diff --git a/confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs b/confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs
index bf8490571..b0ef6b6d4 100644
--- a/confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs
+++ b/confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs
@@ -3,12 +3,15 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+use std::env;
+
 use async_trait::async_trait;
 use kbs_protocol::{
     client::KbsClient as KbsProtocolClient,
     token_provider::{AATokenProvider, TokenProvider},
     KbsClientCapabilities, ResourceUri,
 };
+use log::{info, warn};
 
 use crate::{Error, Result};
 
@@ -23,12 +26,26 @@ impl CcKbc {
         let token_provider = AATokenProvider::new()
             .await
             .map_err(|e| Error::KbsClientError(format!("create AA token provider failed: {e}")))?;
+
         let client = kbs_protocol::KbsClientBuilder::with_token_provider(
             Box::new(token_provider),
             kbs_host_url,
-        )
-        .build()
-        .map_err(|e| Error::KbsClientError(format!("create kbs client failed: {e}")))?;
+        );
+
+        let client = match env::var("KBS_PUBLICKEY_CERT") {
+            Ok(cert_pem) => {
+                info!("Use KBS public key cert");
+                client.add_kbs_cert(&cert_pem)
+            }
+            Err(e) => {
+                warn!("KBS_PUBLICKEY_CERT get failed: {e:?}. Use no KBS public key certs.");
+                client
+            }
+        };
+
+        let client = client
+            .build()
+            .map_err(|e| Error::KbsClientError(format!("create kbs client failed: {e}")))?;
         Ok(Self { client })
     }
 }
diff --git a/confidential-data-hub/kms/src/plugins/kbs/mod.rs b/confidential-data-hub/kms/src/plugins/kbs/mod.rs
index bad4047c9..dc5dc6ed9 100644
--- a/confidential-data-hub/kms/src/plugins/kbs/mod.rs
+++ b/confidential-data-hub/kms/src/plugins/kbs/mod.rs
@@ -16,9 +16,9 @@ mod offline_fs;
 use std::sync::Arc;
 
 use async_trait::async_trait;
-use attestation_agent::aa_kbc_params;
 use lazy_static::lazy_static;
 pub use resource_uri::ResourceUri;
+use std::env;
 use tokio::sync::Mutex;
 
 use crate::{Annotations, Error, Getter, Result};
@@ -33,17 +33,19 @@ enum RealClient {
 
 impl RealClient {
     async fn new() -> Result<Self> {
-        let params = aa_kbc_params::get_params().await?;
+        let kbc = env::var("KBC_NAME")
+            .map_err(|_| Error::KbsClientError("KBC_NAME not set in env".to_string()))?;
+        let _kbs_url = env::var("KBS_URL")
+            .map_err(|_| Error::KbsClientError("KBS_URL not set in env".to_string()))?;
 
-        let c = match params.kbc() {
+        let c = match &kbc[..] {
             #[cfg(feature = "kbs")]
-            "cc_kbc" => RealClient::Cc(cc_kbc::CcKbc::new(params.uri()).await?),
+            "cc_kbc" => RealClient::Cc(cc_kbc::CcKbc::new(&_kbs_url).await?),
             #[cfg(feature = "sev")]
-            "online_sev_kbc" => RealClient::Sev(sev::OnlineSevKbc::new(params.uri()).await?),
+            "online_sev_kbc" => RealClient::Sev(sev::OnlineSevKbc::new(&_kbs_url).await?),
             "offline_fs_kbc" => RealClient::OfflineFs(offline_fs::OfflineFsKbc::new().await?),
             others => return Err(Error::KbsClientError(format!("unknown kbc name {others}, only support `cc_kbc`(feature `kbs`), `online_sev_kbc` (feature `sev`) and `offline_fs_kbc`."))),
         };
-
         Ok(c)
     }
 }
diff --git a/confidential-data-hub/kms/src/plugins/mod.rs b/confidential-data-hub/kms/src/plugins/mod.rs
index 698d838ee..be753c1ab 100644
--- a/confidential-data-hub/kms/src/plugins/mod.rs
+++ b/confidential-data-hub/kms/src/plugins/mod.rs
@@ -9,8 +9,6 @@ use strum::{AsRefStr, EnumString};
 
 use crate::{Decrypter, Error, Getter, ProviderSettings, Result};
 
-const _IN_GUEST_DEFAULT_KEY_PATH: &str = "/run/confidential-containers/cdh/kms-credential";
-
 #[cfg(feature = "aliyun")]
 pub mod aliyun;