diff --git a/services/distributeddataservice/app/BUILD.gn b/services/distributeddataservice/app/BUILD.gn
index 1003b306ca901351c7998dde84037a89d5cf54e5..8cd57defb0599de58bf1a2eee88d0919dd3a61ce 100755
--- a/services/distributeddataservice/app/BUILD.gn
+++ b/services/distributeddataservice/app/BUILD.gn
@@ -55,6 +55,7 @@ config("module_private_config") {
     "src",
     "//third_party/json/single_include",
     "//base/security/permission/interfaces/innerkits/permission_standard/permissionsdk/main/cpp/include",
+    "//base/security/huks/interfaces/innerkits/huks_standard/main/include",
   ]
 
   cflags = [ "-Wno-multichar" ]
@@ -113,6 +114,7 @@ ohos_shared_library("distributeddataservice") {
     "samgr_L2:samgr_proxy",
     "startup_l2:syspara",
     "permission_standard:libpermissionsdk_standard",
+    "huks_standard:libhukssdk",
   ]
 
   subsystem_name = "distributeddatamgr"
diff --git a/services/distributeddataservice/app/src/kvstore_meta_manager.cpp b/services/distributeddataservice/app/src/kvstore_meta_manager.cpp
index 937ea43d22925a95ac0108a2209f6ab8c0bc46f8..54417a6412d1ec0f28d9e4e028321ccafb97deab 100755
--- a/services/distributeddataservice/app/src/kvstore_meta_manager.cpp
+++ b/services/distributeddataservice/app/src/kvstore_meta_manager.cpp
@@ -131,6 +131,10 @@ void KvStoreMetaManager::InitMetaParameter()
 
     DistributedDB::KvStoreConfig kvStoreConfig {metaDBDirectory_};
     kvStoreDelegateManager_.SetKvStoreConfig(kvStoreConfig);
+
+    vecRootKeyAlias_ = std::vector<uint8_t>(ROOT_KEY_ALIAS, ROOT_KEY_ALIAS + strlen(ROOT_KEY_ALIAS));
+    vecNonce_ = std::vector<uint8_t>(HKS_BLOB_TYPE_NONCE, HKS_BLOB_TYPE_NONCE + strlen(HKS_BLOB_TYPE_NONCE));
+    vecAad_ = std::vector<uint8_t>(HKS_BLOB_TYPE_AAD, HKS_BLOB_TYPE_AAD + strlen(HKS_BLOB_TYPE_AAD));
 }
 
 const KvStoreMetaManager::NbDelegate &KvStoreMetaManager::GetMetaKvStore()
@@ -274,7 +278,60 @@ Status KvStoreMetaManager::CheckUpdateServiceMeta(const std::vector<uint8_t> &me
 
 Status KvStoreMetaManager::GenerateRootKey()
 {
-    return Status::ERROR;
+    ZLOGI("GenerateRootKey.");
+    struct HksBlob rootKeyName = { vecRootKeyAlias_.size(), &(vecRootKeyAlias_[0]) };
+    struct HksParamSet *paramSet = nullptr;
+    int32_t ret = HksInitParamSet(&paramSet);
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksInitParamSet() failed with error %{public}d", ret);
+        return Status::ERROR;
+    }
+
+    struct HksParam genKeyParams[] = {
+        { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_AES },
+        { .tag = HKS_TAG_KEY_SIZE, .uint32Param = HKS_AES_KEY_SIZE_256 },
+        { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_ENCRYPT | HKS_KEY_PURPOSE_DECRYPT },
+        { .tag = HKS_TAG_DIGEST, .uint32Param = 0 },
+        { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE },
+        { .tag = HKS_TAG_BLOCK_MODE, .uint32Param = HKS_MODE_GCM },
+    };
+
+    ret = HksAddParams(paramSet, genKeyParams, sizeof(genKeyParams) / sizeof(genKeyParams[0]));
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksAddParams failed with error %{public}d", ret);
+        HksFreeParamSet(&paramSet);
+        return Status::ERROR;
+    }
+
+    ret = HksBuildParamSet(&paramSet);
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksBuildParamSet failed with error %{public}d", ret);
+        HksFreeParamSet(&paramSet);
+        return Status::ERROR;
+    }
+
+    ret = HksGenerateKey(&rootKeyName, paramSet, NULL);
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksGenerateKey failed with error %{public}d", ret);
+        HksFreeParamSet(&paramSet);
+        return Status::ERROR;
+    }
+    HksFreeParamSet(&paramSet);
+
+    auto &metaDelegate = GetMetaKvStore();
+    if (metaDelegate == nullptr) {
+        ZLOGE("GetMetaKvStore return nullptr.");
+        return Status::DB_ERROR;
+    }
+
+    DistributedDB::Key dbKey = std::vector<uint8_t>(Constant::ROOT_KEY_GENERATED.begin(),
+        Constant::ROOT_KEY_GENERATED.end());
+    if (metaDelegate->PutLocal(dbKey, {ROOT_KEY_ALIAS, ROOT_KEY_ALIAS + strlen(ROOT_KEY_ALIAS)}) !=
+        DistributedDB::DBStatus::OK) {
+        return Status::ERROR;
+    }
+    ZLOGI("GenerateRootKey Succeed.");
+    return Status::SUCCESS;
 }
 
 Status KvStoreMetaManager::CheckRootKeyExist()
@@ -298,13 +355,105 @@ Status KvStoreMetaManager::CheckRootKeyExist()
 
 std::vector<uint8_t> KvStoreMetaManager::EncryptWorkKey(const std::vector<uint8_t> &key)
 {
+    struct HksBlob blobAad = { vecAad_.size(), &(vecAad_[0]) };
+    struct HksBlob blobNonce = { vecNonce_.size(), &(vecNonce_[0]) };
+    struct HksBlob rootKeyName = { vecRootKeyAlias_.size(), &(vecRootKeyAlias_[0]) };
+    struct HksBlob plainKey = { key.size(), const_cast<uint8_t *>(&(key[0])) };
+    uint8_t cipherBuf[256] = { 0 };
+    struct HksBlob encryptedKey = { sizeof(cipherBuf), cipherBuf };
     std::vector<uint8_t> encryptedKeyVec;
+    struct HksParamSet *encryptParamSet = nullptr;
+    int32_t ret = HksInitParamSet(&encryptParamSet);
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksInitParamSet() failed with error %{public}d", ret);
+        return {};
+    }
+    struct HksParam encryptParams[] = {
+        { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_AES },
+        { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_ENCRYPT },
+        { .tag = HKS_TAG_DIGEST, .uint32Param = 0 },
+        { .tag = HKS_TAG_BLOCK_MODE, .uint32Param = HKS_MODE_GCM },
+        { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE },
+        { .tag = HKS_TAG_NONCE, .blob = blobNonce },
+        { .tag = HKS_TAG_ASSOCIATED_DATA, .blob = blobAad },
+    };
+    ret = HksAddParams(encryptParamSet, encryptParams, sizeof(encryptParams) / sizeof(encryptParams[0]));
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksAddParams failed with error %{public}d", ret);
+        HksFreeParamSet(&encryptParamSet);
+        return {};
+    }
+
+    ret = HksBuildParamSet(&encryptParamSet);
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksBuildParamSet failed with error %{public}d", ret);
+        HksFreeParamSet(&encryptParamSet);
+        return {};
+    }
+
+    ret = HksEncrypt(&rootKeyName, encryptParamSet, &plainKey, &encryptedKey);
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksEncrypt failed with error %{public}d", ret);
+        HksFreeParamSet(&encryptParamSet);
+        return {};
+    }
+    (void)HksFreeParamSet(&encryptParamSet);
+
+    for (uint32_t i = 0; i < encryptedKey.size; i++) {
+        encryptedKeyVec.push_back(encryptedKey.data[i]);
+    }
     return encryptedKeyVec;
 }
 
 bool KvStoreMetaManager::DecryptWorkKey(const std::vector<uint8_t> &encryptedKey, std::vector<uint8_t> &key)
 {
-    return false;
+    struct HksBlob blobAad = { vecAad_.size(), &(vecAad_[0]) };
+    struct HksBlob blobNonce = { vecNonce_.size(), &(vecNonce_[0]) };
+    struct HksBlob rootKeyName = { vecRootKeyAlias_.size(), &(vecRootKeyAlias_[0]) };
+    struct HksBlob encryptedKeyBlob = { encryptedKey.size(), const_cast<uint8_t *>(&(encryptedKey[0])) };
+    uint8_t plainBuf[256] = { 0 };
+    struct HksBlob plainKeyBlob = { sizeof(plainBuf), plainBuf };
+    struct HksParamSet *decryptParamSet = nullptr;
+    int32_t ret = HksInitParamSet(&decryptParamSet);
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksInitParamSet() failed with error %{public}d", ret);
+        return false;
+    }
+    struct HksParam decryptParams[] = {
+        { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_AES },
+        { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_DECRYPT },
+        { .tag = HKS_TAG_DIGEST, .uint32Param = 0 },
+        { .tag = HKS_TAG_BLOCK_MODE, .uint32Param = HKS_MODE_GCM },
+        { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE },
+        { .tag = HKS_TAG_NONCE, .blob = blobNonce },
+        { .tag = HKS_TAG_ASSOCIATED_DATA, .blob = blobAad },
+    };
+    ret = HksAddParams(decryptParamSet, decryptParams, sizeof(decryptParams) / sizeof(decryptParams[0]));
+    if (ret !=  HKS_SUCCESS) {
+        ZLOGE("HksAddParams failed with error %{public}d", ret);
+        HksFreeParamSet(&decryptParamSet);
+        return false;
+    }
+
+    ret = HksBuildParamSet(&decryptParamSet);
+    if (ret != HKS_SUCCESS) {
+        ZLOGE("HksBuildParamSet failed with error %{public}d", ret);
+        HksFreeParamSet(&decryptParamSet);
+        return false;
+    }
+
+    ret = HksDecrypt(&rootKeyName, decryptParamSet, &encryptedKeyBlob, &plainKeyBlob);
+    if (ret != HKS_SUCCESS) {
+        ZLOGW("HksDecrypt failed with error %{public}d", ret);
+        HksFreeParamSet(&decryptParamSet);
+        return false;
+    }
+    (void)HksFreeParamSet(&decryptParamSet);
+
+    for (uint32_t i = 0; i < plainKeyBlob.size; i++) {
+        key.push_back(plainKeyBlob.data[i]);
+    }
+    return true;
 }
 
 Status KvStoreMetaManager::WriteSecretKeyToMeta(const std::vector<uint8_t> &metaKey, const std::vector<uint8_t> &key)
diff --git a/services/distributeddataservice/app/src/kvstore_meta_manager.h b/services/distributeddataservice/app/src/kvstore_meta_manager.h
index 3c70189e9503b4e78561d81fc16b02128d781c5e..05aa7bdf73cbe625d50dfb53cab918c9f9952d83 100755
--- a/services/distributeddataservice/app/src/kvstore_meta_manager.h
+++ b/services/distributeddataservice/app/src/kvstore_meta_manager.h
@@ -19,6 +19,8 @@
 #include <nlohmann/json.hpp>
 
 #include "app_device_status_change_listener.h"
+#include "hks_api.h"
+#include "hks_param.h"
 #include "types.h"
 #include "system_ability.h"
 #include "kv_store_delegate.h"
@@ -286,12 +288,17 @@ private:
     static constexpr const char *LOCAL_LABEL = "localLabel";
     static constexpr const char *REMOTE_LABEL = "remoteLabel";
     static constexpr const char *HARMONY_APP = "harmony";
+    static constexpr const char *HKS_BLOB_TYPE_NONCE = "Z5s0Bo571KoqwIi6";
+    static constexpr const char *HKS_BLOB_TYPE_AAD = "distributeddata";
     static constexpr int KEY_SIZE = 32;
     static constexpr int HOURS_PER_YEAR = (24 * 365);
 
     NbDelegate metaDelegate_ {};
     std::string metaDBDirectory_;
     DistributedDB::KvStoreDelegateManager kvStoreDelegateManager_;
+    std::vector<uint8_t> vecRootKeyAlias_ {};
+    std::vector<uint8_t> vecNonce_ {};
+    std::vector<uint8_t> vecAad_ {};
     static std::condition_variable cv_;
     static std::mutex cvMutex_;
     static MetaDeviceChangeListenerImpl listener_;
diff --git a/services/distributeddataservice/app/src/uninstaller/BUILD.gn b/services/distributeddataservice/app/src/uninstaller/BUILD.gn
index ec45a40484e0f54bd153e5e78a329c1a34b5a4e2..41d8af81347617d7828f68feb1080e765bab10fb 100755
--- a/services/distributeddataservice/app/src/uninstaller/BUILD.gn
+++ b/services/distributeddataservice/app/src/uninstaller/BUILD.gn
@@ -27,6 +27,7 @@ ohos_static_library("distributeddata_uninstaller_static") {
     "//foundation/distributeddatamgr/distributeddatamgr/interfaces/innerkits/app_distributeddata/include",
     "//third_party/json/single_include",
     "//utils/native/base/include",
+    "//base/security/huks/interfaces/innerkits/huks_standard/main/include",
   ]
 
   cflags_cc = [ "-fvisibility=hidden" ]