diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs
index 6d1327d765..3b45b2d467 100644
--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@@ -59,7 +59,6 @@ mod util;
 mod version;
 mod watcher;
 
-use cdh::CDHClient;
 use config::GuestComponentsProcs;
 use mount::{cgroups_mount, general_mount};
 use sandbox::Sandbox;
@@ -408,7 +407,6 @@ async fn start_sandbox(
     let (tx, rx) = tokio::sync::oneshot::channel();
     sandbox.lock().await.sender = Some(tx);
 
-    let mut cdh_client = None;
     let gc_procs = config.guest_components_procs;
     if gc_procs != GuestComponentsProcs::None {
         if !attestation_binaries_available(logger, &gc_procs) {
@@ -417,18 +415,12 @@ async fn start_sandbox(
                 "attestation binaries requested for launch not available"
             );
         } else {
-            cdh_client = init_attestation_components(logger, config)?;
+            init_attestation_components(logger, config).await?;
         }
     }
 
     // vsock:///dev/vsock, port
-    let mut server = rpc::start(
-        sandbox.clone(),
-        config.server_addr.as_str(),
-        init_mode,
-        cdh_client,
-    )
-    .await?;
+    let mut server = rpc::start(sandbox.clone(), config.server_addr.as_str(), init_mode).await?;
 
     server.start().await?;
 
@@ -459,10 +451,10 @@ fn attestation_binaries_available(logger: &Logger, procs: &GuestComponentsProcs)
 // and the corresponding procs are enabled in the agent configuration. the process will be
 // launched in the background and the function will return immediately.
 // If the CDH is started, a CDH client will be instantiated and returned.
-fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<Option<CDHClient>> {
+async fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<()> {
     // skip launch of any guest-component
     if config.guest_components_procs == GuestComponentsProcs::None {
-        return Ok(None);
+        return Ok(());
     }
 
     debug!(logger, "spawning attestation-agent process {}", AA_PATH);
@@ -477,7 +469,7 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<
 
     // skip launch of confidential-data-hub and api-server-rest
     if config.guest_components_procs == GuestComponentsProcs::AttestationAgent {
-        return Ok(None);
+        return Ok(());
     }
 
     let ocicrypt_config = serde_json::json!({
@@ -505,11 +497,12 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<
     )
     .map_err(|e| anyhow!("launch_process {} failed: {:?}", CDH_PATH, e))?;
 
-    let cdh_client = CDHClient::new().context("Failed to create CDH Client")?;
+    // initialize cdh client
+    cdh::init_cdh_client().await?;
 
     // skip launch of api-server-rest
     if config.guest_components_procs == GuestComponentsProcs::ConfidentialDataHub {
-        return Ok(Some(cdh_client));
+        return Ok(());
     }
 
     let features = config.guest_components_rest_api;
@@ -526,7 +519,7 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<
     )
     .map_err(|e| anyhow!("launch_process {} failed: {:?}", API_SERVER_PATH, e))?;
 
-    Ok(Some(cdh_client))
+    Ok(())
 }
 
 fn wait_for_path_to_exist(logger: &Logger, path: &str, timeout_secs: i32) -> Result<()> {
diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs
index 92cb0a6381..d16faaab4a 100644
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -55,6 +55,7 @@ use nix::sys::{stat, statfs};
 use nix::unistd::{self, Pid};
 use rustjail::process::ProcessOperations;
 
+use crate::cdh;
 use crate::device::{
     add_devices, get_virtio_blk_pci_device_name, update_env_pci, wait_for_net_interface,
 };
@@ -83,8 +84,6 @@ use crate::policy::{do_set_policy, is_allowed};
 #[cfg(feature = "guest-pull")]
 use crate::image;
 
-use crate::cdh::CDHClient;
-
 use opentelemetry::global;
 use tracing::span;
 use tracing_opentelemetry::OpenTelemetrySpanExt;
@@ -180,7 +179,6 @@ impl<T> OptionToTtrpcResult<T> for Option<T> {
 pub struct AgentService {
     sandbox: Arc<Mutex<Sandbox>>,
     init_mode: bool,
-    cdh_client: Option<CDHClient>,
 }
 
 impl AgentService {
@@ -226,19 +224,17 @@ impl AgentService {
         // cannot predict everything from the caller.
         add_devices(&req.devices, &mut oci, &self.sandbox).await?;
 
-        if let Some(cdh) = self.cdh_client.as_ref() {
-            let process = oci
-                .process_mut()
-                .as_mut()
-                .ok_or_else(|| anyhow!("Spec didn't contain process field"))?;
+        let process = oci
+            .process_mut()
+            .as_mut()
+            .ok_or_else(|| anyhow!("Spec didn't contain process field"))?;
 
-            if let Some(envs) = process.env_mut().as_mut() {
-                for env in envs.iter_mut() {
-                    match cdh.unseal_env(env).await {
-                        Ok(unsealed_env) => *env = unsealed_env.to_string(),
-                        Err(e) => {
-                            warn!(sl(), "Failed to unseal secret: {}", e)
-                        }
+        if let Some(envs) = process.env_mut().as_mut() {
+            for env in envs.iter_mut() {
+                match cdh::unseal_env(env).await {
+                    Ok(unsealed_env) => *env = unsealed_env.to_string(),
+                    Err(e) => {
+                        warn!(sl(), "Failed to unseal secret: {}", e)
                     }
                 }
             }
@@ -261,16 +257,13 @@ impl AgentService {
                         secure_storage_integrity
                     );
 
-                    if let Some(cdh) = self.cdh_client.as_ref() {
-                        let options = std::collections::HashMap::from([
-                            ("deviceId".to_string(), dev_major_minor),
-                            ("encryptType".to_string(), "LUKS".to_string()),
-                            ("dataIntegrity".to_string(), secure_storage_integrity),
-                        ]);
-                        cdh.secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR)
-                            .await?;
-                        break;
-                    }
+                    let options = std::collections::HashMap::from([
+                        ("deviceId".to_string(), dev_major_minor),
+                        ("encryptType".to_string(), "LUKS".to_string()),
+                        ("dataIntegrity".to_string(), secure_storage_integrity),
+                    ]);
+                    cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR).await?;
+                    break;
                 }
             }
         }
@@ -1681,12 +1674,10 @@ pub async fn start(
     s: Arc<Mutex<Sandbox>>,
     server_address: &str,
     init_mode: bool,
-    cdh_client: Option<CDHClient>,
 ) -> Result<TtrpcServer> {
     let agent_service = Box::new(AgentService {
         sandbox: s,
         init_mode,
-        cdh_client,
     }) as Box<dyn agent_ttrpc::AgentService + Send + Sync>;
     let aservice = agent_ttrpc::create_agent_service(Arc::new(agent_service));
 
@@ -2245,7 +2236,6 @@ mod tests {
         let agent_service = Box::new(AgentService {
             sandbox: Arc::new(Mutex::new(sandbox)),
             init_mode: true,
-            cdh_client: None,
         });
 
         let req = protocols::agent::UpdateInterfaceRequest::default();
@@ -2263,7 +2253,6 @@ mod tests {
         let agent_service = Box::new(AgentService {
             sandbox: Arc::new(Mutex::new(sandbox)),
             init_mode: true,
-            cdh_client: None,
         });
 
         let req = protocols::agent::UpdateRoutesRequest::default();
@@ -2281,7 +2270,6 @@ mod tests {
         let agent_service = Box::new(AgentService {
             sandbox: Arc::new(Mutex::new(sandbox)),
             init_mode: true,
-            cdh_client: None,
         });
 
         let req = protocols::agent::AddARPNeighborsRequest::default();
@@ -2420,7 +2408,6 @@ mod tests {
             let agent_service = Box::new(AgentService {
                 sandbox: Arc::new(Mutex::new(sandbox)),
                 init_mode: true,
-                cdh_client: None,
             });
 
             let result = agent_service
@@ -2919,7 +2906,6 @@ OtherField:other
         let agent_service = Box::new(AgentService {
             sandbox: Arc::new(Mutex::new(sandbox)),
             init_mode: true,
-            cdh_client: None,
         });
 
         let ctx = mk_ttrpc_context();