diff --git a/api/services/control.pb.go b/api/services/control.pb.go
index 960d1a676e704c9e5274874503c6b1cfab8c7f98..78fa9519b82000ec33f477db5549fbe5802cb918 100644
--- a/api/services/control.pb.go
+++ b/api/services/control.pb.go
@@ -72,14 +72,12 @@ type BuildRequest struct {
 	Iidfile string `protobuf:"bytes,8,opt,name=iidfile,proto3" json:"iidfile,omitempty"`
 	// buildStatic is used to hold the options for static build
 	BuildStatic *BuildStatic `protobuf:"bytes,9,opt,name=buildStatic,proto3" json:"buildStatic,omitempty"`
-	// encryptKey is key to encrypt items in buildArgs
-	EncryptKey string `protobuf:"bytes,10,opt,name=encryptKey,proto3" json:"encryptKey,omitempty"`
 	// additionalTag is the tag applied to the built image
-	AdditionalTag string `protobuf:"bytes,11,opt,name=additionalTag,proto3" json:"additionalTag,omitempty"`
+	AdditionalTag string `protobuf:"bytes,10,opt,name=additionalTag,proto3" json:"additionalTag,omitempty"`
 	// capAddList indicates Linux capabilities for RUN command
-	CapAddList []string `protobuf:"bytes,12,rep,name=capAddList,proto3" json:"capAddList,omitempty"`
+	CapAddList []string `protobuf:"bytes,11,rep,name=capAddList,proto3" json:"capAddList,omitempty"`
 	// entityID is an id to descript a physic building
-	EntityID             string   `protobuf:"bytes,13,opt,name=entityID,proto3" json:"entityID,omitempty"`
+	EntityID             string   `protobuf:"bytes,12,opt,name=entityID,proto3" json:"entityID,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -172,13 +170,6 @@ func (m *BuildRequest) GetBuildStatic() *BuildStatic {
 	return nil
 }
 
-func (m *BuildRequest) GetEncryptKey() string {
-	if m != nil {
-		return m.EncryptKey
-	}
-	return ""
-}
-
 func (m *BuildRequest) GetAdditionalTag() string {
 	if m != nil {
 		return m.AdditionalTag
@@ -864,9 +855,7 @@ type LoginRequest struct {
 	// username is username to login
 	Username string `protobuf:"bytes,2,opt,name=username,proto3" json:"username,omitempty"`
 	// password is password to login
-	Password string `protobuf:"bytes,3,opt,name=password,proto3" json:"password,omitempty"`
-	// key is aes key used for encrypt and decrypt password
-	Key                  string   `protobuf:"bytes,4,opt,name=key,proto3" json:"key,omitempty"`
+	Password             string   `protobuf:"bytes,3,opt,name=password,proto3" json:"password,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -917,13 +906,6 @@ func (m *LoginRequest) GetPassword() string {
 	return ""
 }
 
-func (m *LoginRequest) GetKey() string {
-	if m != nil {
-		return m.Key
-	}
-	return ""
-}
-
 type LoginResponse struct {
 	// login response sent to front-end
 	Content              string   `protobuf:"bytes,1,opt,name=content,proto3" json:"content,omitempty"`
@@ -1542,96 +1524,95 @@ func init() {
 func init() { proto.RegisterFile("api/services/control.proto", fileDescriptor_d71ef680555cb937) }
 
 var fileDescriptor_d71ef680555cb937 = []byte{
-	// 1418 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x56, 0x6d, 0x6f, 0xdb, 0xb6,
-	0x13, 0xff, 0xcb, 0x72, 0x9c, 0xe4, 0x64, 0xa7, 0x01, 0xff, 0x45, 0x26, 0xb8, 0x69, 0x9b, 0x69,
-	0xc5, 0xe0, 0x75, 0x80, 0x93, 0x66, 0x7d, 0xb1, 0x0e, 0xeb, 0xb0, 0x3c, 0xb4, 0x9d, 0xd7, 0xd6,
-	0xc1, 0x94, 0xac, 0x7b, 0x59, 0xb0, 0x36, 0xa3, 0x10, 0x91, 0x44, 0x8d, 0xa4, 0xd2, 0x7a, 0xfb,
-	0x1a, 0x7b, 0x33, 0x60, 0xfb, 0x0c, 0xfb, 0x20, 0xfb, 0x02, 0xfb, 0x38, 0x03, 0x29, 0x52, 0x92,
-	0x2d, 0xa7, 0xdd, 0x3b, 0xde, 0xef, 0xee, 0xc8, 0x7b, 0xe2, 0xdd, 0x41, 0x1f, 0x67, 0x74, 0x57,
-	0x10, 0x7e, 0x45, 0x27, 0x44, 0xec, 0x4e, 0x58, 0x2a, 0x39, 0x8b, 0x87, 0x19, 0x67, 0x92, 0xa1,
-	0x0d, 0x2a, 0xf2, 0x18, 0x0f, 0xdf, 0xe4, 0x34, 0x9e, 0x0e, 0xaf, 0x1e, 0xf4, 0x6f, 0x45, 0x8c,
-	0x45, 0x31, 0xd9, 0xd5, 0xdc, 0x37, 0xf9, 0xf9, 0x2e, 0x49, 0x32, 0x39, 0x2b, 0x84, 0xfb, 0x77,
-	0x17, 0x99, 0x92, 0x26, 0x44, 0x48, 0x9c, 0x64, 0x85, 0x40, 0xf0, 0x97, 0x0b, 0xdd, 0x43, 0x75,
-	0x55, 0x48, 0x7e, 0xce, 0x89, 0x90, 0x68, 0x1b, 0xd6, 0xf5, 0xd5, 0x67, 0xb3, 0x8c, 0xf8, 0xce,
-	0x8e, 0x33, 0x58, 0x0f, 0x2b, 0x00, 0xf9, 0xb0, 0xaa, 0x89, 0xd1, 0xb1, 0xdf, 0xd2, 0x3c, 0x4b,
-	0xa2, 0x3b, 0x00, 0xca, 0x4e, 0xf2, 0x4e, 0x1e, 0x53, 0xee, 0xbb, 0x9a, 0x59, 0x43, 0xd0, 0x0e,
-	0x78, 0xe7, 0x34, 0x26, 0x47, 0x0a, 0x49, 0xa5, 0xdf, 0xd6, 0x02, 0x75, 0x08, 0x6d, 0x41, 0x87,
-	0xe5, 0x32, 0xcb, 0xa5, 0xbf, 0xa2, 0x99, 0x86, 0x2a, 0x2d, 0x3a, 0xe0, 0x91, 0xf0, 0x3b, 0x3b,
-	0x6e, 0x69, 0x91, 0x02, 0xd0, 0x4d, 0x58, 0xc9, 0x38, 0x7b, 0x37, 0xf3, 0x57, 0x77, 0x9c, 0xc1,
-	0x5a, 0x58, 0x10, 0xca, 0x4e, 0x4a, 0xa7, 0xea, 0x76, 0x7f, 0xad, 0xb0, 0xd3, 0x90, 0xe8, 0x31,
-	0x78, 0x5a, 0xf9, 0x54, 0x62, 0x49, 0x27, 0xfe, 0xfa, 0x8e, 0x33, 0xf0, 0xf6, 0x6f, 0x0d, 0xe7,
-	0x83, 0x3a, 0x3c, 0xac, 0x44, 0xc2, 0xba, 0xbc, 0x72, 0x93, 0xa4, 0x13, 0x3e, 0xcb, 0xe4, 0x73,
-	0x32, 0xf3, 0xa1, 0x70, 0xb3, 0x42, 0xd0, 0x3d, 0xe8, 0xe1, 0xe9, 0x94, 0x4a, 0xca, 0x52, 0x1c,
-	0x9f, 0xe1, 0xc8, 0xf7, 0xb4, 0xc8, 0x3c, 0xa8, 0x83, 0x85, 0xb3, 0x83, 0xe9, 0xf4, 0x05, 0x15,
-	0xd2, 0xef, 0x6a, 0x9f, 0x6a, 0x08, 0xea, 0xc3, 0x1a, 0x49, 0x25, 0x95, 0xb3, 0xd1, 0xb1, 0xdf,
-	0xd3, 0x17, 0x94, 0x74, 0x70, 0x00, 0xbd, 0x51, 0x92, 0x31, 0x2e, 0x6b, 0x19, 0xe3, 0xe4, 0x9c,
-	0x70, 0x92, 0x4e, 0xca, 0x8c, 0x95, 0x00, 0x42, 0xd0, 0x9e, 0x62, 0x89, 0x75, 0xba, 0xba, 0xa1,
-	0x3e, 0x07, 0x01, 0x6c, 0xd8, 0x2b, 0x44, 0xc6, 0x52, 0x41, 0xd0, 0x26, 0xb8, 0x31, 0x8b, 0x8c,
-	0xb6, 0x3a, 0x06, 0xcf, 0xc0, 0xab, 0x05, 0x01, 0x7d, 0x69, 0xcb, 0x82, 0x26, 0xc5, 0x23, 0xde,
-	0x7e, 0x7f, 0x58, 0x14, 0xd7, 0xd0, 0x16, 0xd7, 0xf0, 0xcc, 0x16, 0x57, 0x58, 0x09, 0x07, 0x8f,
-	0xa1, 0x67, 0x0a, 0xcc, 0xbc, 0xa5, 0x72, 0x93, 0xe0, 0x88, 0x8c, 0x8e, 0xcd, 0x7b, 0x96, 0x5c,
-	0x6a, 0xeb, 0x67, 0xd0, 0x53, 0x26, 0xe4, 0xc2, 0xba, 0x5b, 0x2b, 0x41, 0x67, 0xae, 0x04, 0x83,
-	0xfb, 0xb0, 0x61, 0x45, 0xab, 0xa7, 0x26, 0xa6, 0xe0, 0x8c, 0xac, 0x21, 0x83, 0xcf, 0xc1, 0x53,
-	0x91, 0xae, 0xc5, 0x50, 0x1b, 0x31, 0xc6, 0x49, 0x19, 0xc3, 0x12, 0x08, 0x1e, 0x02, 0x9c, 0xe1,
-	0xc8, 0xca, 0xde, 0x84, 0x15, 0xcd, 0x32, 0x72, 0x05, 0xa1, 0x22, 0x28, 0x71, 0x64, 0x7e, 0x85,
-	0x3a, 0x06, 0x7f, 0x3b, 0xd0, 0x2d, 0xde, 0x30, 0xd6, 0x7c, 0x03, 0x1d, 0x2d, 0x2b, 0x7c, 0x67,
-	0xc7, 0x1d, 0x78, 0xfb, 0x9f, 0x2e, 0x56, 0x5d, 0x5d, 0x7a, 0x38, 0xd2, 0x41, 0x49, 0xcf, 0x59,
-	0x68, 0xb4, 0xfa, 0xbf, 0xc2, 0x7a, 0x09, 0xaa, 0x12, 0xe2, 0x24, 0x63, 0x82, 0x4a, 0xc6, 0x67,
-	0xc6, 0x94, 0x1a, 0xd2, 0xb4, 0x07, 0x6d, 0x40, 0x8b, 0x4e, 0xcd, 0xcf, 0x6c, 0xd1, 0xa9, 0x0e,
-	0x0e, 0x27, 0x58, 0x92, 0xa9, 0xf9, 0x8d, 0x96, 0x54, 0x79, 0x10, 0xf4, 0x17, 0x62, 0xfe, 0xa1,
-	0x3e, 0x07, 0x7f, 0x3a, 0x70, 0xe3, 0x15, 0xe1, 0x82, 0xb2, 0xb4, 0x1e, 0xde, 0xab, 0x02, 0xb2,
-	0xe1, 0x35, 0xa4, 0x8a, 0x67, 0xc4, 0x8c, 0xb8, 0xb1, 0xa1, 0x02, 0x34, 0x97, 0xca, 0x23, 0x96,
-	0x24, 0x54, 0x1a, 0x83, 0x2a, 0xa0, 0xea, 0x40, 0xaa, 0xd4, 0xda, 0xf5, 0x0e, 0x44, 0x13, 0xa2,
-	0xbb, 0x84, 0x38, 0xe0, 0x93, 0x8b, 0xb2, 0x4b, 0x68, 0x2a, 0xf8, 0x01, 0x7a, 0x21, 0x49, 0xd8,
-	0x15, 0xa9, 0xd5, 0x49, 0x55, 0x66, 0x6e, 0xbd, 0xcc, 0x36, 0xc1, 0xc5, 0x71, 0xac, 0xcd, 0x5a,
-	0x0b, 0xd5, 0xb1, 0x68, 0x22, 0x79, 0x4a, 0xb4, 0x31, 0xba, 0x89, 0xe4, 0xa9, 0x4a, 0xfb, 0x86,
-	0xbd, 0xd2, 0x38, 0x1c, 0x40, 0x37, 0xc6, 0x33, 0xc2, 0x5f, 0x12, 0x21, 0xaa, 0x0a, 0x98, 0xc3,
-	0x82, 0x3f, 0x1c, 0xf8, 0xff, 0x77, 0x04, 0xc7, 0xf2, 0xe2, 0xe8, 0x82, 0x4c, 0x2e, 0x4b, 0xdd,
-	0x11, 0x74, 0x84, 0xae, 0x4e, 0xad, 0xb5, 0xb1, 0xff, 0x60, 0x31, 0xfb, 0x4b, 0x94, 0x86, 0xa7,
-	0x6a, 0x06, 0xa4, 0x91, 0x29, 0x6b, 0x73, 0x41, 0xf0, 0x15, 0xf4, 0xe6, 0x18, 0xc8, 0x83, 0xd5,
-	0x1f, 0xc7, 0xcf, 0xc7, 0x27, 0x3f, 0x8d, 0x37, 0xff, 0xa7, 0x88, 0xd3, 0x27, 0xe1, 0xab, 0xd1,
-	0xf8, 0xd9, 0xa6, 0x83, 0x6e, 0x80, 0x37, 0x3e, 0x39, 0x7b, 0x6d, 0x81, 0x56, 0x90, 0x41, 0xf7,
-	0x05, 0x8b, 0x68, 0x6a, 0xc3, 0xb4, 0x05, 0x1d, 0x35, 0x68, 0x08, 0x37, 0xce, 0x18, 0x4a, 0xb5,
-	0xa0, 0x5c, 0x10, 0x9e, 0xaa, 0x0f, 0x51, 0x24, 0xb0, 0xa4, 0x15, 0x2f, 0xc3, 0x42, 0xbc, 0x65,
-	0xdc, 0xd6, 0x53, 0x49, 0xab, 0xe0, 0x5e, 0x92, 0x99, 0xc9, 0x9b, 0x3a, 0xaa, 0x1f, 0x6c, 0x5e,
-	0xfc, 0xe0, 0xaf, 0x7c, 0xa4, 0x45, 0x59, 0x2e, 0x3f, 0x64, 0x5d, 0x23, 0x85, 0xc1, 0x00, 0x36,
-	0xac, 0xaa, 0x79, 0x66, 0x0b, 0x3a, 0x9c, 0x88, 0x3c, 0xb6, 0xaf, 0x18, 0x2a, 0xf8, 0x18, 0xbc,
-	0x17, 0x0c, 0x97, 0x03, 0x0f, 0x41, 0x3b, 0xc3, 0xf2, 0xc2, 0x08, 0xe9, 0x73, 0xb0, 0xa3, 0x82,
-	0x84, 0xa7, 0xef, 0x69, 0x8f, 0x27, 0xe0, 0x9d, 0xe2, 0xaa, 0xd8, 0x96, 0xf7, 0x04, 0x7b, 0x75,
-	0xab, 0xba, 0x5a, 0x7b, 0x84, 0xaf, 0x54, 0x55, 0xba, 0xc6, 0x23, 0x4d, 0x05, 0x0f, 0xa1, 0x5b,
-	0x5c, 0x68, 0x9e, 0xb4, 0xbd, 0xd0, 0xa9, 0x7a, 0xa1, 0x35, 0xa3, 0x55, 0x99, 0x31, 0x83, 0xd5,
-	0x97, 0x24, 0x39, 0x56, 0xcc, 0x3e, 0xac, 0x25, 0x24, 0x39, 0x63, 0x12, 0xc7, 0x5a, 0xc9, 0x0d,
-	0x4b, 0x5a, 0x45, 0x3c, 0x21, 0xc9, 0x53, 0x4e, 0x8a, 0x5c, 0xba, 0xa1, 0x25, 0xd5, 0x67, 0x13,
-	0x6f, 0x71, 0x56, 0xa8, 0xb9, 0x9a, 0x57, 0x01, 0xea, 0x4e, 0x45, 0x68, 0xc5, 0x76, 0x71, 0xa7,
-	0xa5, 0x83, 0xd7, 0xe0, 0x9d, 0x4a, 0xc6, 0x71, 0x44, 0xf4, 0xf3, 0xf7, 0xa0, 0x27, 0x0c, 0xc9,
-	0x69, 0x95, 0xb0, 0x79, 0x10, 0xdd, 0x87, 0x4d, 0x03, 0x1c, 0xe2, 0xc9, 0x25, 0x4d, 0xa3, 0xa7,
-	0xc2, 0xb8, 0xd3, 0xc0, 0x83, 0xdf, 0x1c, 0xe8, 0x86, 0x24, 0xa2, 0x42, 0xf2, 0x99, 0x7e, 0xe2,
-	0x3e, 0x6c, 0xf2, 0x82, 0xa6, 0x44, 0x9c, 0x12, 0xac, 0x9a, 0x40, 0xf1, 0xb5, 0x1b, 0x38, 0x1a,
-	0x02, 0xaa, 0xb0, 0x51, 0x2a, 0xc8, 0x24, 0xe7, 0xca, 0x79, 0x25, 0xbd, 0x84, 0x83, 0x06, 0x70,
-	0xa3, 0x42, 0x0f, 0x63, 0x36, 0xb9, 0xf4, 0x5d, 0x2d, 0xbc, 0x08, 0x07, 0xff, 0xb4, 0xa0, 0xab,
-	0xdb, 0xb2, 0xcd, 0xd4, 0x03, 0x1d, 0x5c, 0x05, 0x99, 0xc1, 0xf8, 0xd1, 0xe2, 0xcf, 0x36, 0x29,
-	0x0a, 0xad, 0x9c, 0x5a, 0x42, 0x8c, 0xbb, 0x5a, 0xad, 0xb5, 0x7c, 0x09, 0xa9, 0x85, 0x37, 0xac,
-	0xcb, 0xa3, 0x6f, 0xa1, 0x6b, 0xac, 0x9a, 0x69, 0x7d, 0x57, 0xeb, 0x6f, 0x2f, 0xea, 0xd7, 0x83,
-	0x17, 0xce, 0x69, 0xa8, 0xc4, 0xaa, 0x8a, 0x0a, 0x19, 0xb3, 0xab, 0x58, 0x49, 0xab, 0x62, 0xe1,
-	0x79, 0xaa, 0x59, 0x45, 0x8b, 0xb5, 0xa4, 0x9a, 0x39, 0x27, 0x47, 0xa3, 0x30, 0x4f, 0xd5, 0x16,
-	0xe9, 0x77, 0x8a, 0x99, 0x53, 0x21, 0x8a, 0xaf, 0x1f, 0x27, 0x7c, 0x9c, 0x27, 0x7a, 0x21, 0x73,
-	0xc3, 0x1a, 0xa2, 0xf8, 0x11, 0x0b, 0x59, 0x2e, 0x69, 0x4a, 0x84, 0x5e, 0xcc, 0xdc, 0xb0, 0x86,
-	0xec, 0xff, 0xbe, 0x0a, 0xab, 0x47, 0xc5, 0xb2, 0x8b, 0x9e, 0xc2, 0x8a, 0x5e, 0x1b, 0xd0, 0xf6,
-	0xd2, 0xdd, 0xcc, 0x7c, 0xbc, 0xfe, 0xed, 0x6b, 0xb8, 0x45, 0x6e, 0xf6, 0x1c, 0xd5, 0x76, 0x4d,
-	0x93, 0xbc, 0xdd, 0x8c, 0x6f, 0x6d, 0xaf, 0xe8, 0xdf, 0xb9, 0x8e, 0x5d, 0x5e, 0x75, 0x00, 0x6d,
-	0xbd, 0x9d, 0xdd, 0x5a, 0x3e, 0xb7, 0x8b, 0x6b, 0xb6, 0xdf, 0x37, 0xd4, 0xd1, 0x21, 0xac, 0xda,
-	0x21, 0xb8, 0xd5, 0x58, 0x9f, 0x9e, 0xa8, 0xc5, 0xbd, 0x7f, 0x77, 0xf1, 0x82, 0xc5, 0xa9, 0x3b,
-	0x82, 0x4e, 0x31, 0x96, 0x9a, 0x1e, 0xcd, 0x4d, 0xc0, 0xa6, 0x47, 0xf3, 0xd3, 0x6c, 0xcf, 0x41,
-	0xdf, 0x83, 0x57, 0x9b, 0x3a, 0xd7, 0x9a, 0xf4, 0xc9, 0x7f, 0x18, 0x55, 0xe8, 0x18, 0x56, 0x74,
-	0x9b, 0x6f, 0x26, 0xac, 0x3e, 0x6f, 0x9a, 0x09, 0x9b, 0x9f, 0x0d, 0xcf, 0xa0, 0x53, 0xb4, 0x71,
-	0xb4, 0x4c, 0xb0, 0x9a, 0x0c, 0x4d, 0xe7, 0x16, 0xba, 0xff, 0x11, 0xb4, 0x55, 0x0b, 0x5f, 0x92,
-	0xac, 0xaa, 0xf7, 0x2f, 0x49, 0x56, 0xad, 0xeb, 0xef, 0x39, 0xe8, 0x39, 0x74, 0x8a, 0x45, 0xb9,
-	0x69, 0xcd, 0xdc, 0x0e, 0xde, 0xb4, 0x66, 0x7e, 0xbf, 0x1e, 0x38, 0x7b, 0x0e, 0x7a, 0x04, 0xae,
-	0xda, 0xfd, 0xfb, 0x8b, 0xa2, 0xd5, 0x6a, 0xd9, 0xbf, 0x26, 0x01, 0xca, 0x19, 0x35, 0x1c, 0x9a,
-	0xce, 0xd4, 0x66, 0x50, 0xd3, 0x99, 0xfa, 0x3c, 0xd9, 0x73, 0xd0, 0xd7, 0xd0, 0xd6, 0x7f, 0xff,
-	0xba, 0x2c, 0x37, 0xf4, 0xeb, 0x5d, 0xee, 0x4d, 0x47, 0x4b, 0x7f, 0xf1, 0x6f, 0x00, 0x00, 0x00,
-	0xff, 0xff, 0x35, 0x26, 0x1e, 0xed, 0x9b, 0x0e, 0x00, 0x00,
+	// 1394 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x56, 0x5f, 0x73, 0xdb, 0x44,
+	0x10, 0x47, 0x96, 0xe3, 0x24, 0x2b, 0x27, 0xcd, 0x1c, 0x9d, 0xa0, 0x71, 0xd3, 0xd6, 0x88, 0x0e,
+	0x63, 0xca, 0x8c, 0x93, 0x86, 0x3e, 0x50, 0x86, 0x32, 0xe4, 0x4f, 0x5b, 0x4c, 0x5b, 0x67, 0x50,
+	0x42, 0x79, 0xa3, 0x73, 0xb5, 0x2f, 0xca, 0x4d, 0x25, 0x9d, 0xb8, 0x3b, 0xa5, 0x35, 0x7c, 0x08,
+	0x5e, 0x78, 0x61, 0x06, 0x3e, 0x11, 0x5f, 0x80, 0x8f, 0xc3, 0xdc, 0xe9, 0x4e, 0x92, 0x2d, 0xa7,
+	0xe5, 0xed, 0xf6, 0xb7, 0x7f, 0x6e, 0x6f, 0x77, 0x6f, 0x77, 0xa1, 0x87, 0x33, 0xba, 0x2b, 0x08,
+	0xbf, 0xa4, 0x13, 0x22, 0x76, 0x27, 0x2c, 0x95, 0x9c, 0xc5, 0xc3, 0x8c, 0x33, 0xc9, 0xd0, 0x26,
+	0x15, 0x79, 0x8c, 0x87, 0xaf, 0x72, 0x1a, 0x4f, 0x87, 0x97, 0xf7, 0x7a, 0x37, 0x22, 0xc6, 0xa2,
+	0x98, 0xec, 0x6a, 0xee, 0xab, 0xfc, 0x7c, 0x97, 0x24, 0x99, 0x9c, 0x15, 0xc2, 0xbd, 0xdb, 0x8b,
+	0x4c, 0x49, 0x13, 0x22, 0x24, 0x4e, 0xb2, 0x42, 0x20, 0xf8, 0xdd, 0x85, 0xee, 0xa1, 0x32, 0x15,
+	0x92, 0x5f, 0x72, 0x22, 0x24, 0xda, 0x81, 0x75, 0x6d, 0xfa, 0x6c, 0x96, 0x11, 0xdf, 0xe9, 0x3b,
+	0x83, 0xf5, 0xb0, 0x02, 0x90, 0x0f, 0xab, 0x9a, 0x18, 0x1d, 0xfb, 0x2d, 0xcd, 0xb3, 0x24, 0xba,
+	0x05, 0xa0, 0xfc, 0x24, 0x6f, 0xe5, 0x31, 0xe5, 0xbe, 0xab, 0x99, 0x35, 0x04, 0xf5, 0xc1, 0x3b,
+	0xa7, 0x31, 0x39, 0x52, 0x48, 0x2a, 0xfd, 0xb6, 0x16, 0xa8, 0x43, 0x68, 0x1b, 0x3a, 0x2c, 0x97,
+	0x59, 0x2e, 0xfd, 0x15, 0xcd, 0x34, 0x54, 0xe9, 0xd1, 0x01, 0x8f, 0x84, 0xdf, 0xe9, 0xbb, 0xa5,
+	0x47, 0x0a, 0x40, 0xd7, 0x61, 0x25, 0xe3, 0xec, 0xed, 0xcc, 0x5f, 0xed, 0x3b, 0x83, 0xb5, 0xb0,
+	0x20, 0x94, 0x9f, 0x94, 0x4e, 0x95, 0x75, 0x7f, 0xad, 0xf0, 0xd3, 0x90, 0xe8, 0x21, 0x78, 0x5a,
+	0xf9, 0x54, 0x62, 0x49, 0x27, 0xfe, 0x7a, 0xdf, 0x19, 0x78, 0xfb, 0x37, 0x86, 0xf3, 0x41, 0x1d,
+	0x1e, 0x56, 0x22, 0x61, 0x5d, 0x1e, 0xdd, 0x81, 0x0d, 0x3c, 0x9d, 0x52, 0x49, 0x59, 0x8a, 0xe3,
+	0x33, 0x1c, 0xf9, 0xa0, 0xcd, 0xcf, 0x83, 0x3a, 0x18, 0x38, 0x3b, 0x98, 0x4e, 0x9f, 0x51, 0x21,
+	0x7d, 0x4f, 0xfb, 0x5c, 0x43, 0x50, 0x0f, 0xd6, 0x48, 0x2a, 0xa9, 0x9c, 0x8d, 0x8e, 0xfd, 0xae,
+	0x36, 0x50, 0xd2, 0xc1, 0x01, 0x6c, 0x8c, 0x92, 0x8c, 0x71, 0x59, 0xcb, 0x08, 0x27, 0xe7, 0x84,
+	0x93, 0x74, 0x52, 0x66, 0xa4, 0x04, 0x10, 0x82, 0xf6, 0x14, 0x4b, 0xac, 0xd3, 0xd1, 0x0d, 0xf5,
+	0x39, 0x08, 0x60, 0xd3, 0x9a, 0x10, 0x19, 0x4b, 0x05, 0x41, 0x5b, 0xe0, 0xc6, 0x2c, 0x32, 0xda,
+	0xea, 0x18, 0x3c, 0x01, 0xaf, 0xf6, 0x48, 0xf4, 0xa5, 0x4d, 0x3b, 0x4d, 0x8a, 0x4b, 0xbc, 0xfd,
+	0xde, 0xb0, 0x28, 0x9e, 0xa1, 0x2d, 0x9e, 0xe1, 0x99, 0x2d, 0x9e, 0xb0, 0x12, 0x0e, 0x1e, 0xc2,
+	0x86, 0x29, 0x20, 0x73, 0x97, 0x8a, 0x7d, 0x82, 0x23, 0x32, 0x3a, 0x36, 0xf7, 0x59, 0x72, 0xa9,
+	0xaf, 0x9f, 0xc1, 0x86, 0x72, 0x21, 0x17, 0xf6, 0xb9, 0xb5, 0x12, 0x73, 0xe6, 0x4a, 0x2c, 0xb8,
+	0x0b, 0x9b, 0x56, 0xb4, 0xba, 0x6a, 0x62, 0x0a, 0xca, 0xc8, 0x1a, 0x32, 0xf8, 0x1c, 0x3c, 0x15,
+	0xe9, 0x5a, 0x0c, 0xb5, 0x13, 0x63, 0x9c, 0x94, 0x31, 0x2c, 0x81, 0xe0, 0x3e, 0xc0, 0x19, 0x8e,
+	0xac, 0xec, 0x75, 0x58, 0xd1, 0x2c, 0x23, 0x57, 0x10, 0x2a, 0x82, 0x12, 0x47, 0xa6, 0xea, 0xd5,
+	0x31, 0xf8, 0xc7, 0x81, 0x6e, 0x71, 0x87, 0xf1, 0xe6, 0x1b, 0xe8, 0x68, 0x59, 0xe1, 0x3b, 0x7d,
+	0x77, 0xe0, 0xed, 0x7f, 0xba, 0x58, 0x55, 0x75, 0xe9, 0xe1, 0x48, 0x07, 0x25, 0x3d, 0x67, 0xa1,
+	0xd1, 0xea, 0xfd, 0x06, 0xeb, 0x25, 0xa8, 0x4a, 0x88, 0x93, 0x8c, 0x09, 0x2a, 0x19, 0x9f, 0x19,
+	0x57, 0x6a, 0x48, 0xd3, 0x1f, 0xb4, 0x09, 0x2d, 0x3a, 0x35, 0x3f, 0xaf, 0x45, 0xa7, 0x3a, 0x38,
+	0x9c, 0x60, 0x49, 0xa6, 0xe6, 0xb7, 0x59, 0x52, 0xe5, 0x41, 0xd0, 0x5f, 0x89, 0xf9, 0x67, 0xfa,
+	0x1c, 0xfc, 0xed, 0xc0, 0xb5, 0x17, 0x84, 0x0b, 0xca, 0xd2, 0x7a, 0x78, 0x2f, 0x0b, 0xc8, 0x86,
+	0xd7, 0x90, 0x2a, 0x9e, 0x11, 0x33, 0xe2, 0xc6, 0x87, 0x0a, 0xd0, 0x5c, 0x2a, 0x8f, 0x58, 0x92,
+	0x50, 0x69, 0x1c, 0xaa, 0x80, 0xaa, 0xc3, 0xa8, 0x52, 0x6b, 0xd7, 0x3b, 0x0c, 0x4d, 0x88, 0xee,
+	0x02, 0xe2, 0x80, 0x4f, 0x2e, 0xca, 0x2e, 0xa0, 0xa9, 0xe0, 0x07, 0xd8, 0x08, 0x49, 0xc2, 0x2e,
+	0x49, 0xad, 0x4e, 0xaa, 0x32, 0x73, 0xeb, 0x65, 0xb6, 0x05, 0x2e, 0x8e, 0x63, 0xed, 0xd6, 0x5a,
+	0xa8, 0x8e, 0x45, 0x93, 0xc8, 0x53, 0xa2, 0x9d, 0xd1, 0x4d, 0x22, 0x4f, 0x55, 0xda, 0x37, 0xad,
+	0x49, 0xf3, 0xe0, 0x00, 0xba, 0x31, 0x9e, 0x11, 0xfe, 0x9c, 0x08, 0x51, 0x55, 0xc0, 0x1c, 0x16,
+	0xfc, 0xe5, 0xc0, 0x87, 0xdf, 0x11, 0x1c, 0xcb, 0x8b, 0xa3, 0x0b, 0x32, 0x79, 0x5d, 0xea, 0x8e,
+	0xa0, 0x23, 0x74, 0x75, 0x6a, 0xad, 0xcd, 0xfd, 0x7b, 0x8b, 0xd9, 0x5f, 0xa2, 0x34, 0x3c, 0x55,
+	0x3d, 0x3e, 0x8d, 0x4c, 0x59, 0x1b, 0x03, 0xc1, 0x57, 0xb0, 0x31, 0xc7, 0x40, 0x1e, 0xac, 0xfe,
+	0x38, 0x7e, 0x3a, 0x3e, 0xf9, 0x69, 0xbc, 0xf5, 0x81, 0x22, 0x4e, 0x1f, 0x85, 0x2f, 0x46, 0xe3,
+	0x27, 0x5b, 0x0e, 0xba, 0x06, 0xde, 0xf8, 0xe4, 0xec, 0xa5, 0x05, 0x5a, 0xc1, 0xcf, 0xd0, 0x7d,
+	0xc6, 0x22, 0x9a, 0xda, 0x30, 0x6d, 0x43, 0x47, 0x0d, 0x12, 0xc2, 0xcd, 0x63, 0x0c, 0xa5, 0x5a,
+	0x50, 0x2e, 0x08, 0x4f, 0xd5, 0x87, 0x28, 0x12, 0x58, 0xd2, 0x8a, 0x97, 0x61, 0x21, 0xde, 0x30,
+	0x6e, 0xeb, 0xa9, 0xa4, 0xd5, 0x7f, 0x35, 0xf6, 0xdf, 0xfb, 0x07, 0x1f, 0x68, 0x51, 0x96, 0xcb,
+	0xf7, 0xf9, 0xd2, 0x48, 0x58, 0x30, 0x80, 0x4d, 0xab, 0x6a, 0xae, 0xd9, 0x86, 0x0e, 0x27, 0x22,
+	0x8f, 0xed, 0x2d, 0x86, 0x0a, 0x3e, 0x06, 0xef, 0x19, 0xc3, 0xe5, 0xf8, 0x42, 0xd0, 0xce, 0xb0,
+	0xbc, 0x30, 0x42, 0xfa, 0x1c, 0xf4, 0x55, 0x48, 0xf0, 0xf4, 0x1d, 0xcd, 0xf0, 0x04, 0xbc, 0x53,
+	0x5c, 0x95, 0xd6, 0xf2, 0x0e, 0x60, 0x4d, 0xb7, 0x2a, 0xd3, 0xfa, 0x45, 0xf8, 0x52, 0xd5, 0xa0,
+	0x6b, 0x5e, 0xa4, 0xa9, 0xe0, 0x3e, 0x74, 0x0b, 0x83, 0xe6, 0x4a, 0xdb, 0xf9, 0x9c, 0xaa, 0xf3,
+	0x59, 0x37, 0x5a, 0x95, 0x1b, 0x33, 0x58, 0x7d, 0x4e, 0x92, 0x63, 0xc5, 0xec, 0xc1, 0x5a, 0x42,
+	0x92, 0x33, 0x26, 0x71, 0xac, 0x95, 0xdc, 0xb0, 0xa4, 0x55, 0xc4, 0x13, 0x92, 0x3c, 0xe6, 0xa4,
+	0xc8, 0x9c, 0x1b, 0x5a, 0x52, 0x7d, 0x2d, 0xf1, 0x06, 0x67, 0x85, 0x9a, 0xab, 0x79, 0x15, 0xa0,
+	0x6c, 0x2a, 0x42, 0x2b, 0xb6, 0x0b, 0x9b, 0x96, 0x0e, 0x5e, 0x82, 0x77, 0x2a, 0x19, 0xc7, 0x11,
+	0xd1, 0xd7, 0xdf, 0x81, 0x0d, 0x61, 0x48, 0x4e, 0xab, 0x84, 0xcd, 0x83, 0xe8, 0x2e, 0x6c, 0x19,
+	0xe0, 0x10, 0x4f, 0x5e, 0xd3, 0x34, 0x7a, 0x2c, 0xcc, 0x73, 0x1a, 0x78, 0xf0, 0x87, 0x03, 0xdd,
+	0x90, 0x44, 0x54, 0x48, 0x3e, 0xd3, 0x57, 0xdc, 0x85, 0x2d, 0x5e, 0xd0, 0x94, 0x88, 0x53, 0x82,
+	0xd5, 0x97, 0x2f, 0x3e, 0x72, 0x03, 0x47, 0x43, 0x40, 0x15, 0x36, 0x4a, 0x05, 0x99, 0xe4, 0x5c,
+	0x3d, 0x5e, 0x49, 0x2f, 0xe1, 0xa0, 0x01, 0x5c, 0xab, 0xd0, 0xc3, 0x98, 0x4d, 0x5e, 0xfb, 0xae,
+	0x16, 0x5e, 0x84, 0x83, 0x7f, 0x5b, 0xd0, 0xd5, 0x4d, 0xd8, 0x66, 0xea, 0x9e, 0x0e, 0xae, 0x82,
+	0xcc, 0x18, 0xfc, 0x68, 0xf1, 0x1f, 0x9b, 0x14, 0x85, 0x56, 0x4e, 0xad, 0x14, 0xe6, 0xb9, 0x5a,
+	0xad, 0xb5, 0x7c, 0xa5, 0xa8, 0x85, 0x37, 0xac, 0xcb, 0xa3, 0x6f, 0xa1, 0x6b, 0xbc, 0x9a, 0x69,
+	0x7d, 0x57, 0xeb, 0xef, 0x2c, 0xea, 0xd7, 0x83, 0x17, 0xce, 0x69, 0xa8, 0xc4, 0xaa, 0x8a, 0x0a,
+	0x19, 0xb3, 0x8b, 0x55, 0x49, 0xab, 0x62, 0xe1, 0x79, 0xaa, 0x59, 0x45, 0x43, 0xb5, 0xa4, 0x9a,
+	0x30, 0x27, 0x47, 0xa3, 0x30, 0x4f, 0xd5, 0x4e, 0xe8, 0x77, 0x8a, 0x09, 0x53, 0x21, 0x8a, 0xaf,
+	0x2f, 0x27, 0x7c, 0x9c, 0x27, 0x7a, 0xbd, 0x72, 0xc3, 0x1a, 0xa2, 0xf8, 0x11, 0x0b, 0x59, 0x2e,
+	0x69, 0x4a, 0x84, 0x5e, 0xb3, 0xdc, 0xb0, 0x86, 0xec, 0xff, 0xb9, 0x0a, 0xab, 0x47, 0xc5, 0xea,
+	0x8a, 0x1e, 0xc3, 0x8a, 0x5e, 0x12, 0xd0, 0xce, 0xd2, 0x4d, 0xcb, 0x7c, 0xbc, 0xde, 0xcd, 0x2b,
+	0xb8, 0x45, 0x6e, 0xf6, 0x1c, 0xd5, 0x64, 0x4d, 0x4b, 0xbc, 0xd9, 0x8c, 0x6f, 0x6d, 0x8b, 0xe8,
+	0xdd, 0xba, 0x8a, 0x5d, 0x9a, 0x3a, 0x80, 0xb6, 0xde, 0xc5, 0x6e, 0x2c, 0x9f, 0xd2, 0x85, 0x99,
+	0x9d, 0x77, 0x8d, 0x70, 0x74, 0x08, 0xab, 0x76, 0xe4, 0x6d, 0x37, 0x96, 0xa5, 0x47, 0x6a, 0x0d,
+	0xef, 0xdd, 0x5e, 0x34, 0xb0, 0x38, 0x63, 0x47, 0xd0, 0x29, 0x86, 0x50, 0xf3, 0x45, 0x73, 0xf3,
+	0xae, 0xf9, 0xa2, 0xf9, 0xd9, 0xb5, 0xe7, 0xa0, 0xef, 0xc1, 0xab, 0xcd, 0x98, 0x2b, 0x5d, 0xfa,
+	0xe4, 0x7f, 0x0c, 0x26, 0x74, 0x0c, 0x2b, 0xba, 0xcd, 0x37, 0x13, 0x56, 0x9f, 0x2e, 0xcd, 0x84,
+	0xcd, 0xcf, 0x86, 0x27, 0xd0, 0x29, 0xda, 0x38, 0x5a, 0x26, 0x58, 0x4d, 0x86, 0xe6, 0xe3, 0x16,
+	0xba, 0xff, 0x11, 0xb4, 0x55, 0x0b, 0x5f, 0x92, 0xac, 0xaa, 0xf7, 0x2f, 0x49, 0x56, 0xad, 0xeb,
+	0xef, 0x39, 0xe8, 0x29, 0x74, 0x8a, 0xb5, 0xb8, 0xe9, 0xcd, 0xdc, 0xc6, 0xdd, 0xf4, 0x66, 0x7e,
+	0x9b, 0x1e, 0x38, 0x7b, 0x0e, 0x7a, 0x00, 0xae, 0xda, 0xf4, 0x7b, 0x8b, 0xa2, 0xd5, 0x22, 0xd9,
+	0xbb, 0x22, 0x01, 0xea, 0x31, 0x6a, 0x38, 0x34, 0x1f, 0x53, 0x9b, 0x41, 0xcd, 0xc7, 0xd4, 0xe7,
+	0xc9, 0x9e, 0x83, 0xbe, 0x86, 0xb6, 0xfe, 0xfb, 0x57, 0x65, 0xb9, 0xa1, 0x5f, 0xef, 0x72, 0xaf,
+	0x3a, 0x5a, 0xfa, 0x8b, 0xff, 0x02, 0x00, 0x00, 0xff, 0xff, 0xfa, 0x0a, 0xc5, 0xff, 0x69, 0x0e,
+	0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
diff --git a/api/services/control.proto b/api/services/control.proto
index e304174e49a5bda39f3f38295b17cabc1cf8a4b9..5bf4c8b471e7c953f8829ee7e2a777f22ec6dd0c 100755
--- a/api/services/control.proto
+++ b/api/services/control.proto
@@ -65,14 +65,12 @@ message BuildRequest {
     string iidfile = 8;
     // buildStatic is used to hold the options for static build
     BuildStatic buildStatic = 9;
-    // encryptKey is key to encrypt items in buildArgs
-    string encryptKey = 10;
     // additionalTag is the tag applied to the built image
-    string additionalTag = 11;
+    string additionalTag = 10;
     // capAddList indicates Linux capabilities for RUN command
-    repeated string capAddList = 12;
+    repeated string capAddList = 11;
     // entityID is an id to descript a physic building
-    string entityID = 13;
+    string entityID = 12;
 }
 
 message ImportRequest {
@@ -177,8 +175,6 @@ message LoginRequest {
     string username = 2;
     // password is password to login
     string password = 3;
-    // key is aes key used for encrypt and decrypt password
-    string key = 4;
 }
 
 message LoginResponse {
@@ -271,3 +267,4 @@ message InfoResponse {
     // goRoutines is number of go routines
     int64 goRoutines = 8;
 }
+
diff --git a/builder/builder.go b/builder/builder.go
index d4652cb14378f19e89daea2708ebf6d31d0b08b4..02c40ea7fdc66277b3140b28d16293812eeb236a 100644
--- a/builder/builder.go
+++ b/builder/builder.go
@@ -16,6 +16,7 @@ package builder
 
 import (
 	"context"
+	"crypto/rsa"
 
 	"github.com/pkg/errors"
 
@@ -36,10 +37,10 @@ type Builder interface {
 }
 
 // NewBuilder init a builder
-func NewBuilder(ctx context.Context, store store.Store, req *pb.BuildRequest, runtimePath, buildDir, runDir string) (Builder, error) {
+func NewBuilder(ctx context.Context, store store.Store, req *pb.BuildRequest, runtimePath, buildDir, runDir string, key *rsa.PrivateKey) (Builder, error) {
 	switch req.GetBuildType() {
 	case constant.BuildContainerImageType:
-		return dockerfile.NewBuilder(ctx, store, req, runtimePath, buildDir, runDir)
+		return dockerfile.NewBuilder(ctx, store, req, runtimePath, buildDir, runDir, key)
 	default:
 		return nil, errors.Errorf("the build type %q is not supported", req.GetBuildType())
 	}
diff --git a/builder/builder_test.go b/builder/builder_test.go
index 11f32b6b6ff425a053f631d0630e9dbe5a5c8eb0..af6f9f721cbf3abd31dea7d64132b4412594e64e 100644
--- a/builder/builder_test.go
+++ b/builder/builder_test.go
@@ -18,17 +18,21 @@ import (
 	"reflect"
 	"testing"
 
+	"gotest.tools/assert"
 	"gotest.tools/fs"
 
 	constant "isula.org/isula-build"
 	pb "isula.org/isula-build/api/services"
 	"isula.org/isula-build/builder/dockerfile"
 	"isula.org/isula-build/store"
+	"isula.org/isula-build/util"
 )
 
 func TestNewBuilder(t *testing.T) {
 	tmpDir := fs.NewDir(t, t.Name())
 	defer tmpDir.Remove()
+	key, err := util.GenerateRSAKey(util.DefaultRSAKeySize)
+	assert.NilError(t, err)
 
 	type args struct {
 		ctx         context.Context
@@ -67,9 +71,10 @@ func TestNewBuilder(t *testing.T) {
 			wantErr: true,
 		},
 	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := NewBuilder(tt.args.ctx, tt.args.store, tt.args.req, tt.args.runtimePath, tt.args.buildDir, tt.args.runDir)
+			got, err := NewBuilder(tt.args.ctx, tt.args.store, tt.args.req, tt.args.runtimePath, tt.args.buildDir, tt.args.runDir, key)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("NewBuilder() error = %v, wantErr %v", err, tt.wantErr)
 				return
diff --git a/builder/dockerfile/builder.go b/builder/dockerfile/builder.go
index 75b909a56bcf3590b9c01f6011276fbb6c8b620c..9b1286f2f43e06920954cb4d92d23ed4e8c282c1 100644
--- a/builder/dockerfile/builder.go
+++ b/builder/dockerfile/builder.go
@@ -16,6 +16,8 @@ package dockerfile
 import (
 	"bytes"
 	"context"
+	"crypto"
+	"crypto/rsa"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -78,10 +80,11 @@ type Builder struct {
 	// stageAliasMap hold the stage index which has been renamed
 	// e.g. FROM foo AS bar  ->  map[string]int{"bar":1}
 	stageAliasMap map[string]int
+	rsaKey        *rsa.PrivateKey
 }
 
 // NewBuilder init a builder
-func NewBuilder(ctx context.Context, store store.Store, req *pb.BuildRequest, runtimePath, buildDir, runDir string) (*Builder, error) {
+func NewBuilder(ctx context.Context, store store.Store, req *pb.BuildRequest, runtimePath, buildDir, runDir string, key *rsa.PrivateKey) (*Builder, error) {
 	b := &Builder{
 		ctx:          ctx,
 		buildID:      req.BuildID,
@@ -94,9 +97,10 @@ func NewBuilder(ctx context.Context, store store.Store, req *pb.BuildRequest, ru
 		runtimePath:  runtimePath,
 		dataDir:      buildDir,
 		runDir:       runDir,
+		rsaKey:       key,
 	}
 
-	args, err := b.parseBuildArgs(req.GetBuildArgs(), req.GetEncryptKey())
+	args, err := b.parseBuildArgs(req.GetBuildArgs())
 	if err != nil {
 		return nil, errors.Wrap(err, "parse build-arg failed")
 	}
@@ -189,11 +193,12 @@ func (b *Builder) Logger() *logrus.Entry {
 	return logrus.WithField(util.LogKeySessionID, b.ctx.Value(util.LogFieldKey(util.LogKeySessionID)))
 }
 
-func (b *Builder) parseBuildArgs(buildArgs []string, key string) (map[string]string, error) {
+func (b *Builder) parseBuildArgs(buildArgs []string) (map[string]string, error) {
 	args := make(map[string]string, len(buildArgs))
+	errKey := b.rsaKey.Validate()
 	for _, arg := range buildArgs {
-		if len(key) != 0 {
-			v, err := util.DecryptAES(arg, key)
+		if errKey == nil {
+			v, err := util.DecryptRSA(arg, b.rsaKey, crypto.SHA512)
 			if err != nil {
 				return nil, err
 			}
diff --git a/builder/dockerfile/builder_test.go b/builder/dockerfile/builder_test.go
index 78279079be4b3ea95e5938f765c35e529a2608ad..d1b0713eb74d7985b8db42ca0ff40ac2b668f82b 100644
--- a/builder/dockerfile/builder_test.go
+++ b/builder/dockerfile/builder_test.go
@@ -15,7 +15,8 @@ package dockerfile
 
 import (
 	"context"
-	"crypto/sha256"
+	"crypto/rsa"
+	"crypto/sha512"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -1214,6 +1215,7 @@ func TestParseRequestBuildArgs(t *testing.T) {
 	}
 
 	b := getBuilder()
+	rsaKey := b.rsaKey
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var (
@@ -1221,19 +1223,26 @@ func TestParseRequestBuildArgs(t *testing.T) {
 				err        error
 			)
 			if tt.decrypt {
-				oriKey, _ := util.GenerateCryptoKey(util.CryptoKeyLen)
-				key, _ := util.PBKDF2(oriKey, util.CryptoKeyLen, sha256.New)
+				b.rsaKey = rsaKey
+				tmpDir := fs.NewDir(t, t.Name())
+				defer tmpDir.Remove()
+				keyPath := filepath.Join(tmpDir.Path(), "isula-build.pub")
+				assert.NilError(t, err)
+				err = util.GenRSAPublicKeyFile(b.rsaKey, keyPath)
+				assert.NilError(t, err)
+				pubKey, err := util.ReadPublicKey(keyPath)
+				assert.NilError(t, err)
 				var args = make([]string, 0, 10)
 				for _, v := range tt.buildArgs {
-					encryptedArg, encErr := util.EncryptAES(v, key)
+					encryptedArg, encErr := util.EncryptRSA(v, pubKey, sha512.New())
 					assert.NilError(t, encErr)
 					args = append(args, encryptedArg)
 				}
-				argsParsed, err = b.parseBuildArgs(args, key)
+				argsParsed, err = b.parseBuildArgs(args)
 				b.buildOpts.BuildArgs = argsParsed
-
 			} else {
-				argsParsed, err = b.parseBuildArgs(tt.buildArgs, "")
+				b.rsaKey = &rsa.PrivateKey{}
+				argsParsed, err = b.parseBuildArgs(tt.buildArgs)
 				b.buildOpts.BuildArgs = argsParsed
 			}
 
@@ -1328,6 +1337,12 @@ func TestNewBuilder(t *testing.T) {
 	}
 	defer testutil.Immutable(immutablePath, false)
 
+	keyPath := filepath.Join(tmpDir, "isula-build.pub")
+	privateKey, err := util.GenerateRSAKey(util.DefaultRSAKeySize)
+	assert.NilError(t, err)
+	err = util.GenRSAPublicKeyFile(privateKey, keyPath)
+	assert.NilError(t, err)
+
 	type args struct {
 		ctx         context.Context
 		store       store.Store
@@ -1335,6 +1350,7 @@ func TestNewBuilder(t *testing.T) {
 		runtimePath string
 		buildDir    string
 		runDir      string
+		key         *rsa.PrivateKey
 	}
 	tests := []struct {
 		name    string
@@ -1342,21 +1358,6 @@ func TestNewBuilder(t *testing.T) {
 		want    *Builder
 		wantErr bool
 	}{
-		{
-			name: "NewBuilder - decrypts fail - wrong key",
-			args: args{
-				ctx:   context.Background(),
-				store: store.Store{},
-				req: &pb.BuildRequest{
-					BuildArgs:  []string{"foo=bar", "http_proxy=test"},
-					EncryptKey: "1",
-				},
-				buildDir: tmpDir,
-				runDir:   tmpDir,
-			},
-			want:    nil,
-			wantErr: true,
-		},
 		{
 			name: "NewBuilder - wrong rundir",
 			args: args{
@@ -1365,6 +1366,7 @@ func TestNewBuilder(t *testing.T) {
 				req:      &pb.BuildRequest{},
 				buildDir: tmpDir,
 				runDir:   "",
+				key:      privateKey,
 			},
 			want:    nil,
 			wantErr: true,
@@ -1379,6 +1381,7 @@ func TestNewBuilder(t *testing.T) {
 				},
 				buildDir: tmpDir,
 				runDir:   immutablePath,
+				key:      privateKey,
 			},
 			want:    nil,
 			wantErr: true,
@@ -1386,7 +1389,7 @@ func TestNewBuilder(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := NewBuilder(tt.args.ctx, tt.args.store, tt.args.req, tt.args.runtimePath, tt.args.buildDir, tt.args.runDir)
+			got, err := NewBuilder(tt.args.ctx, tt.args.store, tt.args.req, tt.args.runtimePath, tt.args.buildDir, tt.args.runDir, tt.args.key)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("NewBuilder() error = %v, wantErr %v", err, tt.wantErr)
 				return
diff --git a/builder/dockerfile/stage_builder_test.go b/builder/dockerfile/stage_builder_test.go
index 13376506a7adbc37e9a127a5a85c2da7f3df6623..56a994c4c77b5d0f4f4bed4b3c02259e4db5c58e 100644
--- a/builder/dockerfile/stage_builder_test.go
+++ b/builder/dockerfile/stage_builder_test.go
@@ -37,6 +37,7 @@ import (
 	"isula.org/isula-build/pkg/parser"
 	"isula.org/isula-build/store"
 	testUtil "isula.org/isula-build/tests/util"
+	"isula.org/isula-build/util"
 )
 
 var (
@@ -108,6 +109,8 @@ func getImageID(t *testing.T, s *store.Store) string {
 }
 
 func getBuilder() *Builder {
+	privateKey, _:= util.GenerateRSAKey(util.DefaultRSAKeySize)
+
 	return &Builder{
 		ctx:           context.Background(),
 		buildID:       "",
@@ -120,6 +123,7 @@ func getBuilder() *Builder {
 		reservedArgs:  make(map[string]string),
 		unusedArgs:    make(map[string]string),
 		stageBuilders: nil,
+		rsaKey:        privateKey,
 	}
 }
 
diff --git a/cmd/cli/build.go b/cmd/cli/build.go
index 9792807c811f80d3a9a67e7131b30002123fca7b..ad83b3a144911696116a6bd9efe8cdafc4347a2b 100644
--- a/cmd/cli/build.go
+++ b/cmd/cli/build.go
@@ -15,7 +15,7 @@ package main
 
 import (
 	"context"
-	"crypto/sha256"
+	"crypto/sha512"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -287,8 +287,7 @@ func runBuild(ctx context.Context, cli Cli) (string, error) {
 	if content, digest, err = readDockerfile(); err != nil {
 		return "", err
 	}
-
-	if err = encryptBuildArgs(); err != nil {
+	if err = encryptBuildArgs(util.DefaultRSAKeyPath); err != nil {
 		return "", errors.Wrap(err, "encrypt --build-arg failed")
 	}
 	imageIDFilePath, err = getAbsPath(buildOpts.imageIDFile)
@@ -309,7 +308,6 @@ func runBuild(ctx context.Context, cli Cli) (string, error) {
 		EntityID:      entityID,
 		BuildArgs:     buildOpts.buildArgs,
 		CapAddList:    buildOpts.capAddList,
-		EncryptKey:    buildOpts.encryptKey,
 		ContextDir:    buildOpts.contextDir,
 		FileContent:   content,
 		Output:        buildOpts.output,
@@ -360,7 +358,7 @@ func runBuild(ctx context.Context, cli Cli) (string, error) {
 }
 
 // encrypts those sensitive args before transporting via GRPC
-func encryptBuildArgs() error {
+func encryptBuildArgs(path string) error {
 	var hasSensiArg bool
 	for _, v := range buildOpts.buildArgs {
 		const kvNums = 2
@@ -375,11 +373,7 @@ func encryptBuildArgs() error {
 		return nil
 	}
 
-	oriKey, err := util.GenerateCryptoKey(util.CryptoKeyLen)
-	if err != nil {
-		return err
-	}
-	key, err := util.PBKDF2(oriKey, util.CryptoKeyLen, sha256.New)
+	key, err := util.ReadPublicKey(path)
 	if err != nil {
 		return err
 	}
@@ -387,7 +381,7 @@ func encryptBuildArgs() error {
 	const possibleArgCaps = 10
 	var args = make([]string, 0, possibleArgCaps)
 	for _, v := range buildOpts.buildArgs {
-		encryptedArg, encErr := util.EncryptAES(v, key)
+		encryptedArg, encErr := util.EncryptRSA(v, key, sha512.New())
 		if encErr != nil {
 			return encErr
 		}
@@ -395,7 +389,6 @@ func encryptBuildArgs() error {
 	}
 
 	buildOpts.buildArgs = args
-	buildOpts.encryptKey = key
 	return nil
 }
 
diff --git a/cmd/cli/build_test.go b/cmd/cli/build_test.go
index c0e97d65798c69aa6bac484a1d8cb1ee71efea86..ca0ea3a68973f946ba3dd575b47a6943218b44b7 100644
--- a/cmd/cli/build_test.go
+++ b/cmd/cli/build_test.go
@@ -15,6 +15,7 @@ package main
 
 import (
 	"context"
+	"crypto"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -498,17 +499,24 @@ func TestEncryptBuildArgs(t *testing.T) {
 		},
 	}
 
+	tmpDir := fs.NewDir(t, t.Name())
+	defer tmpDir.Remove()
+	keyPath := filepath.Join(tmpDir.Path(), "isula-build.pub")
+	privateKey, err := util.GenerateRSAKey(util.DefaultRSAKeySize)
+	assert.NilError(t, err)
+	err = util.GenRSAPublicKeyFile(privateKey, keyPath)
+	assert.NilError(t, err)
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			buildOpts.buildArgs = tt.args
 			buildOpts.encryptKey = ""
-
-			if err := encryptBuildArgs(); (err == nil) != (!tt.err) {
+			if err := encryptBuildArgs(keyPath); (err == nil) != (!tt.err) {
 				t.FailNow()
 			}
 			if tt.encrypt {
 				for i := 0; i < len(tt.args); i++ {
-					arg, err := util.DecryptAES(buildOpts.buildArgs[i], buildOpts.encryptKey)
+					arg, err := util.DecryptRSA(buildOpts.buildArgs[i], privateKey, crypto.SHA512)
 					assert.NilError(t, err)
 					assert.Equal(t, tt.args[i], arg)
 				}
diff --git a/cmd/cli/login.go b/cmd/cli/login.go
index 2cc6425c24a56c87984ab6c8809fa404d1c96644..242e4ab54217ce6a5dac8a34f346c4a5c7428c07 100644
--- a/cmd/cli/login.go
+++ b/cmd/cli/login.go
@@ -16,7 +16,7 @@ package main
 import (
 	"bufio"
 	"context"
-	"crypto/sha256"
+	"crypto/sha512"
 	"fmt"
 	"io"
 	"os"
@@ -51,9 +51,9 @@ var (
 
 type loginOptions struct {
 	server    string
-	key       string
 	username  string
 	password  string
+	keyPath   string
 	stdinPass bool
 }
 
@@ -85,6 +85,7 @@ func loginCommand(c *cobra.Command, args []string) error {
 	if err := getRegistry(args); err != nil {
 		return err
 	}
+	loginOpts.keyPath = util.DefaultRSAKeyPath
 
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -93,6 +94,7 @@ func loginCommand(c *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+
 	msg, err := runLogin(ctx, cli, c)
 	fmt.Println(msg)
 	if err != nil {
@@ -149,7 +151,6 @@ func genLoginReq(c *cobra.Command, shouldGetAuthInfo bool) (*pb.LoginRequest, er
 			Server:   loginOpts.server,
 			Username: "",
 			Password: "",
-			Key:      "",
 		}, nil
 	}
 
@@ -160,16 +161,15 @@ func genLoginReq(c *cobra.Command, shouldGetAuthInfo bool) (*pb.LoginRequest, er
 			return nil, err
 		}
 	}
-	if err := encryptOpts(); err != nil {
+	if err := encryptOpts(loginOpts.keyPath); err != nil {
 		return nil, err
 	}
+
 	return &pb.LoginRequest{
 		Server:   loginOpts.server,
 		Username: loginOpts.username,
 		Password: loginOpts.password,
-		Key:      loginOpts.key,
 	}, nil
-
 }
 
 func getRegistry(args []string) error {
@@ -269,24 +269,17 @@ func getPassFromStdin(r io.Reader) error {
 	return nil
 }
 
-func encryptOpts() error {
-	oriKey, err := util.GenerateCryptoKey(util.CryptoKeyLen)
+func encryptOpts(path string) error {
+	key, err := util.ReadPublicKey(path)
 	if err != nil {
-		loginOpts.password = ""
 		return err
 	}
-	key, pbkErr := util.PBKDF2(oriKey, util.CryptoKeyLen, sha256.New)
-	if pbkErr != nil {
-		loginOpts.password = ""
-		return pbkErr
-	}
-	encryptedPass, enErr := util.EncryptAES(loginOpts.password, key)
+	encryptedPass, enErr := util.EncryptRSA(loginOpts.password, key, sha512.New())
 	if enErr != nil {
 		loginOpts.password = ""
 		return enErr
 	}
 
 	loginOpts.password = encryptedPass
-	loginOpts.key = key
 	return nil
 }
diff --git a/cmd/cli/login_test.go b/cmd/cli/login_test.go
index be2055e455af3f10a03e6b65f65d3aff33685060..a586988ae82acedce6743a01a3e054a705f6a6d6 100644
--- a/cmd/cli/login_test.go
+++ b/cmd/cli/login_test.go
@@ -18,10 +18,14 @@ import (
 	"context"
 	"errors"
 	"io"
+	"path/filepath"
 	"strings"
 	"testing"
 
 	"gotest.tools/assert"
+	"gotest.tools/fs"
+
+	"isula.org/isula-build/util"
 )
 
 func TestNewLoginCmd(t *testing.T) {
@@ -110,7 +114,14 @@ func TestGetPassFromStdin(t *testing.T) {
 }
 
 func TestEncryptOpts(t *testing.T) {
-	err := encryptOpts()
+	tmpDir := fs.NewDir(t, t.Name())
+	defer tmpDir.Remove()
+	keyPath := filepath.Join(tmpDir.Path(), "isula-build.pub")
+	privateKey, err := util.GenerateRSAKey(util.DefaultRSAKeySize)
+	assert.NilError(t, err)
+	err = util.GenRSAPublicKeyFile(privateKey, keyPath)
+	assert.NilError(t, err)
+	err = encryptOpts(keyPath)
 	assert.NilError(t, err)
 }
 
@@ -145,6 +156,14 @@ func TestRunLogin(t *testing.T) {
 			wantErr:  true,
 		},
 	}
+	tmpDir := fs.NewDir(t, t.Name())
+	defer tmpDir.Remove()
+	keyPath := filepath.Join(tmpDir.Path(), "isula-build.pub")
+	privateKey, err := util.GenerateRSAKey(util.DefaultRSAKeySize)
+	assert.NilError(t, err)
+	err = util.GenRSAPublicKeyFile(privateKey, keyPath)
+	assert.NilError(t, err)
+
 	for _, tc := range testcases {
 		ctx := context.Background()
 		mockD := newMockDaemon()
@@ -155,6 +174,7 @@ func TestRunLogin(t *testing.T) {
 			server:   tc.server,
 			username: tc.username,
 			password: tc.password,
+			keyPath:  keyPath,
 		}
 
 		_, err := runLogin(ctx, &cli, c)
diff --git a/cmd/daemon/main.go b/cmd/daemon/main.go
index c0603d57a20006ce11da096008acc1b841f1f695..c4f2ea80b33493a638b37ddd12df797c241a7f79 100644
--- a/cmd/daemon/main.go
+++ b/cmd/daemon/main.go
@@ -36,6 +36,8 @@ import (
 	"isula.org/isula-build/util"
 )
 
+const lockFileName = "isula-builder.lock"
+
 var daemonOpts daemon.Options
 
 func newDaemonCommand() *cobra.Command {
@@ -87,8 +89,23 @@ func runDaemon(cmd *cobra.Command, args []string) error {
 	}
 	// cleanup the residual container store if it exists
 	store.CleanContainerStore()
-	d := daemon.NewDaemon(daemonOpts, store)
+	// Ensure we have only one daemon running at the same time
+	lock, err := util.SetDaemonLock(daemonOpts.RunRoot, lockFileName)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if uerr := lock.Unlock(); uerr != nil {
+			logrus.Errorf("Unlock file %s failed: %v", lock.Path(), uerr)
+		} else if rerr := os.RemoveAll(lock.Path()); rerr != nil {
+			logrus.Errorf("Remove lock file %s failed: %v", lock.Path(), rerr)
+		}
+	}()
 
+	d, err := daemon.NewDaemon(daemonOpts, store)
+	if err != nil {
+		return err
+	}
 	defer func() {
 		if cerr := d.Cleanup(); cerr != nil {
 			if err == nil {
diff --git a/constant.go b/constant.go
index 9e7023b8cbc83e0a97f27f9c4ab0f99723eac973..643e0174cf8fb38583820b04574a230c258213c3 100644
--- a/constant.go
+++ b/constant.go
@@ -45,6 +45,8 @@ const (
 	DefaultRootFileMode = 0600
 	// DefaultRootDirMode is the default root dir mode
 	DefaultRootDirMode = 0700
+	// DefaultReadOnlyFileMode is the default root read only file mode
+	DefaultReadOnlyFileMode = 0400
 	// DefaultUmask is the working umask in isula-builder
 	DefaultUmask = 0027
 	// CliLogBufferLen is log channel buffer size
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 5c92983021365ca985bc182d2dd5704fe5af17ea..504d192db6513a2009ec0a7bb2957568ee52d55b 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -16,13 +16,13 @@ package daemon
 
 import (
 	"context"
+	"crypto/rsa"
 	"os"
 	"path/filepath"
 	"sync"
 	"time"
 
 	"github.com/containerd/containerd/sys/reaper"
-	"github.com/gofrs/flock"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -36,7 +36,6 @@ import (
 	"isula.org/isula-build/util"
 )
 
-const lockFileName = "isula-builder.lock"
 
 // Options carries the options configured to daemon
 type Options struct {
@@ -58,20 +57,30 @@ type Daemon struct {
 	backend    *Backend
 	grpc       *GrpcServer
 	localStore store.Store
+	key        *rsa.PrivateKey
 }
 
 // NewDaemon new a daemon instance
-func NewDaemon(opts Options, store store.Store) *Daemon {
+func NewDaemon(opts Options, store store.Store) (*Daemon, error) {
+	rsaKey, err := util.GenerateRSAKey(util.DefaultRSAKeySize)
+	if err != nil {
+		return nil, err
+	}
+	if err := util.GenRSAPublicKeyFile(rsaKey, util.DefaultRSAKeyPath); err != nil {
+		return nil, err
+	}
+
 	return &Daemon{
 		opts:       &opts,
 		builders:   make(map[string]builder.Builder),
 		entities:   make(map[string]string),
 		localStore: store,
-	}
+		key:        rsaKey,
+	}, nil
 }
 
 // Run runs the daemon process
-func (d *Daemon) Run() error {
+func (d *Daemon) Run() (err error) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	gc := gc.NewGC()
@@ -83,19 +92,6 @@ func (d *Daemon) Run() error {
 
 	logrus.Debugf("Daemon start with option %#v", d.opts)
 
-	// Ensure we have only one daemon running at the same time
-	lock, err := setDaemonLock(d.opts.RunRoot, lockFileName)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if uerr := lock.Unlock(); uerr != nil {
-			logrus.Errorf("Unlock file %s failed: %v", lock.Path(), uerr)
-		} else if rerr := os.RemoveAll(lock.Path()); rerr != nil {
-			logrus.Errorf("Remove lock file %s failed: %v", lock.Path(), rerr)
-		}
-	}()
-
 	stack.Setup(d.opts.RunRoot)
 
 	d.NewBackend()
@@ -140,7 +136,7 @@ func (d *Daemon) NewBuilder(ctx context.Context, req *pb.BuildRequest) (b builde
 	// this key with BuildDir will be used by exporter to save blob temporary
 	// NOTE: keep it be updated before NewBuilder. ctx will be taken by Builder
 	ctx = context.WithValue(ctx, util.BuildDirKey(util.BuildDir), buildDir)
-	b, err = builder.NewBuilder(ctx, d.localStore, req, d.opts.RuntimePath, buildDir, runDir)
+	b, err = builder.NewBuilder(ctx, d.localStore, req, d.opts.RuntimePath, buildDir, runDir, d.key)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to new builder")
 	}
@@ -189,6 +185,9 @@ func (d *Daemon) Cleanup() error {
 	if d.backend != nil {
 		d.backend.deleteAllStatus()
 	}
+	if err := os.Remove(util.DefaultRSAKeyPath); err != nil {
+		logrus.Info("Delete key failed")
+	}
 	d.deleteAllBuilders()
 	d.localStore.CleanContainerStore()
 	_, err := d.localStore.Shutdown(false)
@@ -227,16 +226,3 @@ func (d *Daemon) registerSubReaper(g *gc.GarbageCollector) error {
 	return g.RegisterGC(opt)
 }
 
-// setDaemonLock will check if there is another daemon running and return error if any
-func setDaemonLock(root, fileName string) (*flock.Flock, error) {
-	lockPath := filepath.Join(root, fileName)
-	lock := flock.New(lockPath)
-	locked, err := lock.TryLock()
-	if err != nil {
-		return nil, errors.Wrapf(err, "could not lock %s", lockPath)
-	}
-	if !locked {
-		return nil, errors.Errorf("lock %s failed, check if there is another daemon running", lockPath)
-	}
-	return lock, nil
-}
diff --git a/daemon/daemon_test.go b/daemon/daemon_test.go
deleted file mode 100644
index 43b9d245b089e86baf64c88435c89d110538e316..0000000000000000000000000000000000000000
--- a/daemon/daemon_test.go
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
-// isula-build licensed under the Mulan PSL v2.
-// You can use this software according to the terms and conditions of the Mulan PSL v2.
-// You may obtain a copy of Mulan PSL v2 at:
-//     http://license.coscl.org.cn/MulanPSL2
-// THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
-// PURPOSE.
-// See the Mulan PSL v2 for more details.
-// Author: iSula Team
-// Create: 2020-01-20
-// Description: This is test file for daemon
-
-package daemon
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-
-	"gotest.tools/assert"
-
-	constant "isula.org/isula-build"
-)
-
-func TestSetDaemonLock(t *testing.T) {
-	root := "/tmp/this_is_a_test_folder"
-	name := "test.lock"
-	lockPath := filepath.Join(root, name)
-
-	// when folder is not exist, daemon lock is not supposed to be set
-	_, err := setDaemonLock(root, name)
-	assert.ErrorContains(t, err, "no such file or directory")
-
-	// create lockfile
-	err = os.Mkdir(root, constant.DefaultRootDirMode)
-	defer os.RemoveAll(root)
-	assert.NilError(t, err)
-	f, err := os.Create(lockPath)
-	assert.NilError(t, err)
-	defer f.Close()
-	// set daemon lock successful
-	_, err = setDaemonLock(root, name)
-	assert.NilError(t, err)
-
-	// set daemon lock twice will fail
-	_, err = setDaemonLock(root, name)
-	assert.ErrorContains(t, err, "check if there is another daemon running")
-}
diff --git a/daemon/login.go b/daemon/login.go
index c96e9d551cf0f4d7113d009340fbc1cccf579c98..104876ede31e5cfe3c65fd26d18e98565dc24cf3 100644
--- a/daemon/login.go
+++ b/daemon/login.go
@@ -15,6 +15,7 @@ package daemon
 
 import (
 	"context"
+	"crypto"
 	"path/filepath"
 
 	"github.com/containers/image/v5/docker"
@@ -76,7 +77,7 @@ func (b *Backend) Login(ctx context.Context, req *pb.LoginRequest) (*pb.LoginRes
 	}
 
 	// use username and password from client to access
-	password, err := util.DecryptAES(req.Password, req.Key)
+	password, err := util.DecryptRSA(req.Password, b.daemon.key, crypto.SHA512)
 	if err != nil {
 		return &pb.LoginResponse{Content: err.Error()}, err
 	}
@@ -112,9 +113,6 @@ func validLoginOpts(req *pb.LoginRequest) error {
 	if req.Password == "" && req.Username == "" && req.Server != "" {
 		return nil
 	}
-	if req.Key == "" {
-		return errors.New(emptyKey)
-	}
 	if req.Server == "" {
 		return errors.New(emptyServer)
 	}
diff --git a/util/aes_test.go b/util/aes_test.go
deleted file mode 100644
index 5f5c8633d8f0a5f9b5661b600b1531662fa367d7..0000000000000000000000000000000000000000
--- a/util/aes_test.go
+++ /dev/null
@@ -1,99 +0,0 @@
-// Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
-// iSula-Kits licensed under the Mulan PSL v2.
-// You can use this software according to the terms and conditions of the Mulan PSL v2.
-// You may obtain a copy of Mulan PSL v2 at:
-//     http://license.coscl.org.cn/MulanPSL2
-// THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
-// PURPOSE.
-// See the Mulan PSL v2 for more details.
-// Author: Xiang Li
-// Create: 2020-06-02
-// Description: aes encrypt and decrypt testing
-
-package util
-
-import (
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/sha512"
-	"hash"
-	"testing"
-
-	"gotest.tools/assert"
-)
-
-func TestAES(t *testing.T) {
-	var testcases = []struct {
-		name    string
-		length  int
-		wantErr bool
-		text    string
-		hash    func() hash.Hash
-	}{
-		{
-			name:    "TC1 - normal case with key length 16",
-			length:  16,
-			text:    "abcdefghijklmnopqrstuvwxyz",
-			hash:    sha256.New,
-			wantErr: false,
-		},
-		{
-			name:    "TC2 - normal case with key length 24",
-			length:  24,
-			text:    "1234567890",
-			hash:    sha256.New,
-			wantErr: false,
-		},
-		{
-			name:    "TC3 - normal case with key length 32",
-			length:  32,
-			text:    "!@#$%^&*()_+:><?",
-			hash:    sha256.New,
-			wantErr: false,
-		},
-		{
-			name:    "TC4 - normal case with sha1",
-			length:  32,
-			text:    "1234567890",
-			hash:    sha1.New,
-			wantErr: false,
-		},
-		{
-			name:    "TC5 - normal case with sha256",
-			length:  32,
-			text:    "abcdefghijklmnopqrstuvwxyz",
-			hash:    sha512.New,
-			wantErr: false,
-		},
-		{
-			name:    "TC6 - abnormal case with invalid key length 0",
-			length:  0,
-			text:    "!@#$%^&*()_+:><?",
-			hash:    sha256.New,
-			wantErr: true,
-		},
-		{
-			name:    "TC7 - abnormal case with invalid ken length 63",
-			length:  63,
-			text:    "This is test 7",
-			hash:    sha256.New,
-			wantErr: true,
-		},
-	}
-	for _, tt := range testcases {
-		t.Run(tt.name, func(t *testing.T) {
-			oriKey, err := GenerateCryptoKey(tt.length)
-			key, err := PBKDF2(oriKey, tt.length, tt.hash)
-			encryptData, err := EncryptAES(tt.text, key)
-			decryptData, err := DecryptAES(encryptData, key)
-			if err == nil {
-				assert.Equal(t, tt.text, decryptData)
-				assert.Assert(t, string(oriKey) != key)
-			}
-			if (err != nil) != tt.wantErr {
-				t.Errorf("%s error = %v, wantErr %v", tt.name, err, tt.wantErr)
-			}
-		})
-	}
-}
diff --git a/util/aes.go b/util/cipher.go
similarity index 56%
rename from util/aes.go
rename to util/cipher.go
index 6d22fb7650a0056dc6ae6ba0582817ac67ddea1a..9e5dbabebc52eae69d2e33387183d413a82a4b03 100644
--- a/util/aes.go
+++ b/util/cipher.go
@@ -14,15 +14,24 @@
 package util
 
 import (
+	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/hex"
+	"encoding/pem"
 	"hash"
 	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/pbkdf2"
+
+	constant "isula.org/isula-build"
 )
 
 const (
@@ -32,6 +41,10 @@ const (
 	iteration           = 409600
 	aesKeyLenUpperBound = 32
 	aesKeyLenLowerBound = 16
+	// DefaultRSAKeySize is secure key length for RSA
+	DefaultRSAKeySize = 2048
+	// DefaultRSAKeyPath is the default directory to store rsa public key
+	DefaultRSAKeyPath = "/etc/isula-build/isula-build.pub"
 )
 
 var (
@@ -126,3 +139,93 @@ func DecryptAES(data string, aeskey string) (string, error) {
 
 	return string(decryptData), nil
 }
+
+// GenerateRSAKey generates a RAS key pair with key size s
+// the recommend key size is 4096 and which will be use when
+// key size is less than it
+func GenerateRSAKey(keySize int) (*rsa.PrivateKey, error) {
+	if keySize <= DefaultRSAKeySize {
+		keySize = DefaultRSAKeySize
+	}
+	privateKey, err := rsa.GenerateKey(rand.Reader, keySize)
+	if err != nil {
+		return nil, errors.Errorf("generate rsa key pair failed: %v", err)
+	}
+
+	return privateKey, nil
+}
+
+// EncryptRSA encrypts text with RSA public key
+// the hash function(ordinary one) need to be same level with decrypt end
+func EncryptRSA(data string, key rsa.PublicKey, h hash.Hash) (string, error) {
+	cipherText, err := rsa.EncryptOAEP(h, rand.Reader, &key, []byte(data), nil)
+	if err != nil {
+		return "", errors.Errorf("encryption failed: %v", err)
+	}
+
+	return hex.EncodeToString(cipherText), nil
+}
+
+// DecryptRSA decrypts cipher text with RSA private key
+// the hash function(crypto one) need to be same level with encrypt end
+func DecryptRSA(data string, key *rsa.PrivateKey, h crypto.Hash) (string, error) {
+	msg, err := hex.DecodeString(data)
+	if err != nil {
+		return "", err
+	}
+	plainText, errDec := key.Decrypt(nil, msg, &rsa.OAEPOptions{Hash: h, Label: nil})
+	if errDec != nil {
+		return "", errors.Errorf("decryption failed: %v", err)
+	}
+
+	return string(plainText), nil
+}
+
+// GenRSAPublicKeyFile store public key from rsa key pair into local file
+func GenRSAPublicKeyFile(key *rsa.PrivateKey, path string) error {
+	if IsExist(path) {
+		if err := os.Remove(path); err != nil {
+			return errors.Errorf("failed to delete the residual key file: %v", err)
+		}
+	}
+	publicKey := &key.PublicKey
+	stream, err := x509.MarshalPKIXPublicKey(publicKey)
+	if err != nil {
+		return err
+	}
+	block := &pem.Block{
+		Type:  "RSA PUBLIC KEY",
+		Bytes: stream,
+	}
+	file, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	if err := os.Chmod(path, constant.DefaultReadOnlyFileMode); err != nil {
+		return err
+	}
+	if err := pem.Encode(file, block); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ReadPublicKey gets public key from key file
+func ReadPublicKey(path string) (rsa.PublicKey, error) {
+	keyFile, err := ioutil.ReadFile(filepath.Clean(path))
+	if err != nil {
+		return rsa.PublicKey{}, err
+	}
+	block, _ := pem.Decode(keyFile)
+	if block == nil {
+		return rsa.PublicKey{}, errors.New("decoding public key failed")
+	}
+	pubInterface, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return rsa.PublicKey{}, err
+	}
+	key := pubInterface.(*rsa.PublicKey)
+
+	return *key, nil
+}
diff --git a/util/cipher_test.go b/util/cipher_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..1f7f210d1480d6cdb1ea30f8d5ea94c5f1ce0422
--- /dev/null
+++ b/util/cipher_test.go
@@ -0,0 +1,218 @@
+// Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+// iSula-Kits licensed under the Mulan PSL v2.
+// You can use this software according to the terms and conditions of the Mulan PSL v2.
+// You may obtain a copy of Mulan PSL v2 at:
+//     http://license.coscl.org.cn/MulanPSL2
+// THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+// PURPOSE.
+// See the Mulan PSL v2 for more details.
+// Author: Xiang Li
+// Create: 2020-06-02
+// Description: aes encrypt and decrypt testing
+
+package util
+
+import (
+	"crypto"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"hash"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	"gotest.tools/fs"
+)
+
+const (
+	maxRepeatTime = 1000000
+)
+
+func TestAES(t *testing.T) {
+	var testcases = []struct {
+		name    string
+		length  int
+		wantErr bool
+		text    string
+		hash    func() hash.Hash
+	}{
+		{
+			name:    "TC1 - normal case with key length 16",
+			length:  16,
+			text:    "abcdefghijklmnopqrstuvwxyz",
+			hash:    sha256.New,
+			wantErr: false,
+		},
+		{
+			name:    "TC2 - normal case with key length 24",
+			length:  24,
+			text:    "1234567890",
+			hash:    sha256.New,
+			wantErr: false,
+		},
+		{
+			name:    "TC3 - normal case with key length 32",
+			length:  32,
+			text:    "!@#$%^&*()_+:><?",
+			hash:    sha256.New,
+			wantErr: false,
+		},
+		{
+			name:    "TC4 - normal case with sha1",
+			length:  32,
+			text:    "1234567890",
+			hash:    sha1.New,
+			wantErr: false,
+		},
+		{
+			name:    "TC5 - normal case with sha256",
+			length:  32,
+			text:    "abcdefghijklmnopqrstuvwxyz",
+			hash:    sha512.New,
+			wantErr: false,
+		},
+		{
+			name:    "TC6 - abnormal case with invalid key length 0",
+			length:  0,
+			text:    "!@#$%^&*()_+:><?",
+			hash:    sha256.New,
+			wantErr: true,
+		},
+		{
+			name:    "TC7 - abnormal case with invalid ken length 63",
+			length:  63,
+			text:    "This is test 7",
+			hash:    sha256.New,
+			wantErr: true,
+		},
+	}
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			oriKey, err := GenerateCryptoKey(tt.length)
+			key, err := PBKDF2(oriKey, tt.length, tt.hash)
+			encryptData, err := EncryptAES(tt.text, key)
+			decryptData, err := DecryptAES(encryptData, key)
+			if err == nil {
+				assert.Equal(t, tt.text, decryptData)
+				assert.Assert(t, string(oriKey) != key)
+			}
+			if (err != nil) != tt.wantErr {
+				t.Errorf("%s error = %v, wantErr %v", tt.name, err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestRSA(t *testing.T) {
+	type args struct {
+		data string
+		he   hash.Hash
+		hd   crypto.Hash
+	}
+	tests := []struct {
+		name      string
+		args      args
+		wantEnErr bool
+		wantDeErr bool
+	}{
+		{
+			name: "TC1 - normal case with sha512",
+			args: args{
+				data: "This is a plain text",
+				he:   sha512.New(),
+				hd:   crypto.SHA512,
+			},
+		},
+		{
+			name: "TC2 - normal case with sha256",
+			args: args{
+				data: "This is a plain text",
+				he:   sha256.New(),
+				hd:   crypto.SHA256,
+			},
+		},
+		{
+			name: "TC3 - normal case with sha1",
+			args: args{
+				data: "This is a plain text",
+				he:   sha1.New(),
+				hd:   crypto.SHA1,
+			},
+		},
+		{
+			name: "TC4 - normal case with empty data to encrypt",
+			args: args{
+				data: "",
+				he:   sha512.New(),
+				hd:   crypto.SHA512,
+			},
+		},
+		{
+			name: "TC5 - abnormal case with different hash function between encryption and decryption",
+			args: args{
+				data: "This is plain text",
+				he:   sha512.New(),
+				hd:   crypto.SHA256,
+			},
+			wantDeErr: true,
+		},
+		{
+			name: "TC6 - abnormal case with too long plain text",
+			args: args{
+				data: strings.Repeat("a", maxRepeatTime),
+				he:   sha512.New(),
+				hd:   crypto.SHA512,
+			},
+			wantEnErr: true,
+			wantDeErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			key, err := GenerateRSAKey(DefaultRSAKeySize)
+			assert.NilError(t, err)
+			cipherText, err := EncryptRSA(tt.args.data, key.PublicKey, tt.args.he)
+			if (err != nil) != tt.wantEnErr {
+				t.Errorf("EncryptRSA() error = %v, wantErr %v", err, tt.wantEnErr)
+				return
+			}
+			plainText, err := DecryptRSA(cipherText, key, tt.args.hd)
+			if (err != nil) != tt.wantDeErr {
+				t.Errorf("DecryptRSA() error = %v, wantErr %v", err, tt.wantDeErr)
+				return
+			}
+			if err == nil {
+				if plainText != tt.args.data {
+					t.Errorf("EncryptRSA() got = %v, want %v", plainText, tt.args.data)
+				}
+			}
+		})
+	}
+}
+
+func TestGenRSAPubKey(t *testing.T) {
+	tmpDir := fs.NewDir(t, t.Name())
+	defer tmpDir.Remove()
+	keyPath := filepath.Join(tmpDir.Path(), "isula-build.pub")
+	rsaKey, err := GenerateRSAKey(DefaultRSAKeySize)
+	assert.NilError(t, err)
+	err = GenRSAPublicKeyFile(rsaKey, keyPath)
+	assert.NilError(t, err)
+	// when there already has key
+	err = GenRSAPublicKeyFile(rsaKey, keyPath)
+	assert.NilError(t, err)
+}
+
+func benchmarkGenerateRSAKey(scale int, b *testing.B) {
+	b.ReportAllocs()
+	for n := 0; n < b.N; n++ {
+		GenerateRSAKey(scale)
+	}
+}
+
+func BenchmarkGenerateRSAKey2048(b *testing.B) { benchmarkGenerateRSAKey(2048, b) }
+func BenchmarkGenerateRSAKey3072(b *testing.B) { benchmarkGenerateRSAKey(3072, b) }
+func BenchmarkGenerateRSAKey4096(b *testing.B) { benchmarkGenerateRSAKey(4096, b) }
diff --git a/util/util.go b/util/util.go
index d77317e9e9c89adfe743d4e312589711412997a8..d8a24b94f7214ed4fef6ed8d8462dd825b1144eb 100644
--- a/util/util.go
+++ b/util/util.go
@@ -32,6 +32,7 @@ import (
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/system"
 	"github.com/docker/docker/pkg/signal"
+	"github.com/gofrs/flock"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -304,3 +305,17 @@ func CopyXattrs(src, dest string) error {
 
 	return nil
 }
+
+// SetDaemonLock will check if there is another daemon running and return error if any
+func SetDaemonLock(root, fileName string) (*flock.Flock, error) {
+	lockPath := filepath.Join(root, fileName)
+	lock := flock.New(lockPath)
+	locked, err := lock.TryLock()
+	if err != nil {
+		return nil, errors.Wrapf(err, "could not lock %s", lockPath)
+	}
+	if !locked {
+		return nil, errors.Errorf("lock %s failed, check if there is another daemon running", lockPath)
+	}
+	return lock, nil
+}
diff --git a/util/util_test.go b/util/util_test.go
index a0e93f7e1b3568467aa9076545ff93f1b98f2954..075053c6d0c81a2cbed3a6d4c2be423ae954fe5b 100644
--- a/util/util_test.go
+++ b/util/util_test.go
@@ -20,6 +20,7 @@ import (
 	"math/rand"
 	"net/http"
 	"os"
+	"path/filepath"
 	"syscall"
 	"testing"
 	"time"
@@ -27,6 +28,8 @@ import (
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/system"
 	"gotest.tools/assert"
+
+	constant "isula.org/isula-build"
 )
 
 func TestGetIgnorePatternMatcher(t *testing.T) {
@@ -288,3 +291,27 @@ func TestValidateSignal(t *testing.T) {
 		})
 	}
 }
+func TestSetDaemonLock(t *testing.T) {
+	root := "/tmp/this_is_a_test_folder"
+	name := "test.lock"
+	lockPath := filepath.Join(root, name)
+
+	// when folder is not exist, daemon lock is not supposed to be set
+	_, err := SetDaemonLock(root, name)
+	assert.ErrorContains(t, err, "no such file or directory")
+
+	// create lockfile
+	err = os.Mkdir(root, constant.DefaultRootDirMode)
+	defer os.RemoveAll(root)
+	assert.NilError(t, err)
+	f, err := os.Create(lockPath)
+	assert.NilError(t, err)
+	defer f.Close()
+	// set daemon lock successful
+	_, err = SetDaemonLock(root, name)
+	assert.NilError(t, err)
+
+	// set daemon lock twice will fail
+	_, err = SetDaemonLock(root, name)
+	assert.ErrorContains(t, err, "check if there is another daemon running")
+}