diff --git a/image-rs/src/decrypt.rs b/image-rs/src/decrypt.rs
index d64f40f37..33d14d90d 100644
--- a/image-rs/src/decrypt.rs
+++ b/image-rs/src/decrypt.rs
@@ -93,16 +93,18 @@ mod encryption {
         pub fn get_decrypt_key(
             &self,
             descriptor: &OciDescriptor,
-            decrypt_config: &str,
+            decrypt_config: &Option<&str>,
         ) -> Result<Vec<u8>> {
             if !self.is_encrypted() {
                 bail!("unencrypted media type: {}", self.media_type);
             }
-            if decrypt_config.is_empty() {
-                bail!("decrypt_config is empty");
-            }
 
-            let cc = create_decrypt_config(vec![decrypt_config.to_string()], vec![])?;
+            let keys = match decrypt_config {
+                Some(decrypt_config) => vec![decrypt_config.to_string()],
+                None => Vec::new(),
+            };
+
+            let cc = create_decrypt_config(keys, vec![])?;
             if let Some(decrypt_config) = cc.decrypt_config {
                 decrypt_layer_key_opts_data(&decrypt_config, descriptor.annotations.as_ref())
             } else {
@@ -359,7 +361,7 @@ impl Decryptor {
     pub fn get_decrypt_key(
         &self,
         _descriptor: &OciDescriptor,
-        _decrypt_config: &str,
+        _decrypt_config: Option<&str>,
     ) -> Result<Vec<u8>> {
         bail!(
             "no support of encryption, can't handle '{}'",
diff --git a/image-rs/src/pull.rs b/image-rs/src/pull.rs
index efc8b818e..ad3bc26b3 100644
--- a/image-rs/src/pull.rs
+++ b/image-rs/src/pull.rs
@@ -18,8 +18,6 @@ use crate::image::LayerMeta;
 use crate::meta_store::MetaStore;
 use crate::stream::stream_processing;
 
-const ERR_NO_DECRYPT_CFG: &str = "decrypt_config is None";
-
 /// The PullClient connects to remote OCI registry, pulls the container image,
 /// and save the image layers under data_dir and return the layer meta info.
 pub struct PullClient<'a> {
@@ -145,25 +143,21 @@ impl<'a> PullClient<'a> {
 
         let decryptor = Decryptor::from_media_type(&layer.media_type);
         if decryptor.is_encrypted() {
-            if let Some(dc) = decrypt_config {
-                let decrypt_key = decryptor
-                    .get_decrypt_key(&layer, dc)
-                    .map_err(|e| anyhow!("failed to get decrypt key {}", e.to_string()))?;
-                let plaintext_layer = decryptor
-                    .async_get_plaintext_layer(layer_reader, &layer, &decrypt_key)
-                    .map_err(|e| anyhow!("failed to async_get_plaintext_layer: {:?}", e))?;
-                layer_meta.uncompressed_digest = self
-                    .async_decompress_unpack_layer(
-                        plaintext_layer,
-                        &diff_id,
-                        &decryptor.media_type,
-                        &destination,
-                    )
-                    .await?;
-                layer_meta.encrypted = true;
-            } else {
-                bail!(ERR_NO_DECRYPT_CFG);
-            }
+            let decrypt_key = decryptor
+                .get_decrypt_key(&layer, decrypt_config)
+                .map_err(|e| anyhow!("failed to get decrypt key {}", e.to_string()))?;
+            let plaintext_layer = decryptor
+                .async_get_plaintext_layer(layer_reader, &layer, &decrypt_key)
+                .map_err(|e| anyhow!("failed to async_get_plaintext_layer: {:?}", e))?;
+            layer_meta.uncompressed_digest = self
+                .async_decompress_unpack_layer(
+                    plaintext_layer,
+                    &diff_id,
+                    &decryptor.media_type,
+                    &destination,
+                )
+                .await?;
+            layer_meta.encrypted = true;
         } else {
             layer_meta.uncompressed_digest = self
                 .async_decompress_unpack_layer(
diff --git a/image-rs/tests/common/mod.rs b/image-rs/tests/common/mod.rs
index 14a9e663d..bda0dd640 100644
--- a/image-rs/tests/common/mod.rs
+++ b/image-rs/tests/common/mod.rs
@@ -16,7 +16,7 @@ const SIGNATURE_SCRIPT: &str = "scripts/install_test_signatures.sh";
 const OFFLINE_FS_KBC_RESOURCE_SCRIPT: &str = "scripts/install_offline_fs_kbc_files.sh";
 
 /// Attestation Agent Key Provider Parameter
-pub const AA_PARAMETER: &str = "provider:attestation-agent:offline_fs_kbc::null";
+pub const AA_PARAMETER: &str = "offline_fs_kbc::null";
 
 /// Attestation Agent Offline Filesystem KBC resources file for general tests that use images stored in the quay.io registry
 pub const OFFLINE_FS_KBC_RESOURCES_FILE: &str = "aa-offline_fs_kbc-resources.json";
@@ -97,6 +97,7 @@ pub async fn start_confidential_data_hub() -> Result<Child> {
     cfg_if::cfg_if! {
         if #[cfg(feature = "keywrap-ttrpc")] {
             let mut cdh = Command::new(cdh_path)
+            .env("AA_KBC_PARAM", AA_PARAMETER)
             .kill_on_drop(true)
             .spawn()
             .expect("Failed to start confidential-data-hub");
diff --git a/image-rs/tests/image_decryption.rs b/image-rs/tests/image_decryption.rs
index 743ae6df7..f5f82fba2 100644
--- a/image-rs/tests/image_decryption.rs
+++ b/image-rs/tests/image_decryption.rs
@@ -71,13 +71,13 @@ async fn test_decrypt_layers(#[case] image: &str) {
     let mut image_client = ImageClient::new(work_dir.path().to_path_buf());
     if cfg!(feature = "snapshot-overlayfs") {
         image_client
-            .pull_image(image, bundle_dir.path(), &None, &Some(common::AA_PARAMETER))
+            .pull_image(image, bundle_dir.path(), &None, &None)
             .await
             .expect("failed to download image");
         common::umount_bundle(&bundle_dir);
     } else {
         image_client
-            .pull_image(image, bundle_dir.path(), &None, &Some(common::AA_PARAMETER))
+            .pull_image(image, bundle_dir.path(), &None, &None)
             .await
             .unwrap_err();
     }