diff --git a/scripts/initialize-user-and-keys.sh b/scripts/initialize-user-and-keys.sh
index b1db9615b2b147f0c9a0f780eac01ca4f643e3c0..317592bce83bea2ec58fdd451d4613ab55608f77 100755
--- a/scripts/initialize-user-and-keys.sh
+++ b/scripts/initialize-user-and-keys.sh
@@ -22,7 +22,7 @@ function create_default_admin {
 
 function create_default_openpgp_keys {
   echo "start to create default openpgp keys identified with default-pgp"
-  RUST_LOG=info ./target/debug/control-admin --config ./config/server.toml generate-keys --name default-pgp --description "used for test purpose only" --key-type pgp --email tommylikehu@gmail.com --param-key-type rsa --param-key-size 2048 --param-pgp-email infra@openeuler.org --digest-algorithm sha2_256
+  RUST_LOG=info ./target/debug/control-admin --config ./config/server.toml generate-keys --name default-pgp --description "used for test purpose only" --key-type pgp --email tommylikehu@gmail.com --param-key-type rsa --param-key-size 2048 --param-pgp-email infra@openeuler.org --param-pgp-passphrase husheng1234 --digest-algorithm sha2_256
 }
 
 
diff --git a/src/client/file_handler/kernel_module.rs b/src/client/file_handler/kernel_module.rs
index ed627a758e76d645d72a7f200423630e43ec91c7..51b00c64ec1912bdbdf7efe98fc89f661d81587b 100644
--- a/src/client/file_handler/kernel_module.rs
+++ b/src/client/file_handler/kernel_module.rs
@@ -122,7 +122,7 @@ impl KernelModuleFileHandler {
                             .with_big_endian(),
                     )?.0;
                     if raw_content.len() < SIGNATURE_SIZE + signature.sig_len as usize {
-                        Err(Error::SplitFileError("invalid kernel module signature size found".to_owned()))
+                        return Err(Error::SplitFileError("invalid kernel module signature size found".to_owned()));
                     }
                     //read raw content
                     Ok(raw_content[0..(raw_content.len() - SIGNATURE_SIZE - signature.sig_len as usize)].to_owned())
diff --git a/src/control_admin_entrypoint.rs b/src/control_admin_entrypoint.rs
index 6267f5c145e8bd620cf57450f0b07d303ca0ec5b..1e2b7e1443046d9e18cbe173c7f2210366d3ca6b 100644
--- a/src/control_admin_entrypoint.rs
+++ b/src/control_admin_entrypoint.rs
@@ -92,6 +92,9 @@ pub struct CommandGenerateKeys {
     #[arg(long)]
     #[arg(help = "specify the email used for openPGP key generation. ")]
     param_pgp_email: Option<String>,
+    #[arg(long)]
+    #[arg(help = "specify the passphrase for openPGP key generation. ")]
+    param_pgp_passphrase: Option<String>,
     //x509 specific parameters
     #[arg(long)]
     #[arg(help = "specify the 'CommonName' used for x509 key generation. ")]
@@ -127,6 +130,7 @@ fn generate_keys_parameters(command: &CommandGenerateKeys) -> HashMap<String, St
     attributes.insert("digest_algorithm".to_string(), command.digest_algorithm.clone());
     if command.key_type == sign_identity::KeyType::PGP {
         attributes.insert("email".to_string(), command.param_pgp_email.clone().unwrap());
+        attributes.insert("passphrase".to_string(), command.param_pgp_passphrase.clone().unwrap());
     } else if command.key_type == sign_identity::KeyType::X509 {
         attributes.insert("common_name".to_string(), command.param_x509_common_name.clone().unwrap());
         attributes.insert("country_name".to_string(), command.param_x509_country_name.clone().unwrap());
diff --git a/src/infra/sign_plugin/openpgp.rs b/src/infra/sign_plugin/openpgp.rs
index 1abab8d954194eb1d1c31b99db203c3a3f57739a..3eb7cfd468fdcd5918538c7ba376125a43b0dcae 100644
--- a/src/infra/sign_plugin/openpgp.rs
+++ b/src/infra/sign_plugin/openpgp.rs
@@ -60,6 +60,7 @@ pub struct PgpKeyGenerationParameter {
     create_at: String,
     #[validate(custom(function= "validate_utc_time_not_expire", message="invalid openpgp attribute 'expire_at'"))]
     expire_at: String,
+    passphrase: Option<String>
 }
 
 impl PgpKeyGenerationParameter {
@@ -205,8 +206,15 @@ impl SignPlugins for OpenPGPPlugin {
             .expiration(Some(duration));
         let secret_key_params = key_params.build()?;
         let secret_key = secret_key_params.generate()?;
-        let passwd_fn = || String::new();
-        let signed_secret_key = secret_key.sign(passwd_fn)?;
+        let passwd_fn= || return match parameter.passphrase {
+            None => {
+                String::new()
+            }
+            Some(password) => {
+                password
+            }
+        };
+        let signed_secret_key = secret_key.sign(passwd_fn.clone())?;
         let public_key = signed_secret_key.public_key();
         let signed_public_key = public_key.sign(&signed_secret_key, passwd_fn)?;
         Ok(DataKeyContent{
@@ -225,7 +233,14 @@ impl SignPlugins for OpenPGPPlugin {
             }
             _ => {}
         }
-        let passwd_fn = String::new;
+        let passwd_fn = || return match options.get("passphrase") {
+            None => {
+                String::new()
+            }
+            Some(password) => {
+                password.to_string()
+            }
+        };
         let now = Utc::now();
         let sig_cfg = SignatureConfig {
             version: SignatureVersion::V4,
diff --git a/src/presentation/handler/control/datakey_handler.rs b/src/presentation/handler/control/datakey_handler.rs
index 5a73238df64b8115b224a41f8d1a93481f6af7cc..3b9de1a9d59993a20112d92d4868a2fb7925d54c 100644
--- a/src/presentation/handler/control/datakey_handler.rs
+++ b/src/presentation/handler/control/datakey_handler.rs
@@ -35,6 +35,7 @@ use super::model::user::dto::UserIdentity;
 /// 2. **email**: email address used for identify the pgp key,
 /// 3. **key_length**: the private key length, for example, 2048,
 /// 4. **key_type**: the algorithm of private key, for example, rsa or dsa.
+/// 5. **passphrase**: (optional) password of the key
 /// ### Request body example:
 /// ```json
 /// {
@@ -46,6 +47,7 @@ use super::model::user::dto::UserIdentity;
 ///     "key_type": "rsa",
 ///     "key_length": "2048",
 ///     "email": "test@openeuler.org",
+///     "passphrase": "password"
 ///   },
 ///   "create_at": "2023-04-12 22:10:57+08:00",
 ///   "expire_at": "2024-05-12 22:10:57+08:00"
@@ -298,9 +300,11 @@ async fn disable_data_key(_user: UserIdentity, key_service: web::Data<dyn KeySer
 /// -----END PGP PUBLIC KEY BLOCK-----
 /// ```
 /// you can specify the digest algorithm as well in the `attributes`, leave it blank will lead to the usage of 'sha2_256' as default.
+/// passphrase **MUST** be specified for accessing the imported keys when do signing.
 /// ```json
 /// "attributes": {
 ///     "digest_algorithm": "sha2_256"
+///     "passphrase": "husheng@1234"
 /// }
 /// ```
 /// ## Import openSSL x509 keys