diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs
index 48c8357354..3e634529b6 100644
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -2317,8 +2317,13 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
         for specdev in devices.iter() {
             if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
                 let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
-                cdh_secure_mount("BlockDevice", &dev_major_minor, "LUKS", KATA_IMAGE_WORK_DIR)
-                    .await?;
+                cdh_secure_mount(
+                    "block-device",
+                    &dev_major_minor,
+                    "luks2",
+                    KATA_IMAGE_WORK_DIR,
+                )
+                .await?;
                 break;
             }
         }
@@ -2349,10 +2354,21 @@ pub(crate) async fn cdh_secure_mount(
 
     let options = std::collections::HashMap::from([
         ("deviceId".to_string(), device_id.to_string()),
-        ("encryptType".to_string(), encrypt_type.to_string()),
+        ("sourceType".to_string(), "empty".to_string()),
+        ("targetType".to_string(), "fileSystem".to_string()),
+        ("filesystemType".to_string(), "ext4".to_string()),
+        ("mkfsOpts".to_string(), "-E lazy_journal_init".to_string()),
+        ("encryptionType".to_string(), encrypt_type.to_string()),
         ("dataIntegrity".to_string(), integrity),
     ]);
 
+    std::fs::create_dir_all(mount_point).inspect_err(|e| {
+        error!(
+            sl(),
+            "Failed to create mount point directory {}: {:?}", mount_point, e
+        );
+    })?;
+
     confidential_data_hub::secure_mount(device_type, &options, vec![], mount_point).await?;
 
     Ok(())
diff --git a/src/agent/src/storage/block_handler.rs b/src/agent/src/storage/block_handler.rs
index 30a3447156..4b72afd876 100644
--- a/src/agent/src/storage/block_handler.rs
+++ b/src/agent/src/storage/block_handler.rs
@@ -59,7 +59,8 @@ async fn handle_block_storage(
         .contains(&"encryption_key=ephemeral".to_string());
 
     if has_ephemeral_encryption {
-        crate::rpc::cdh_secure_mount("BlockDevice", dev_num, "LUKS", &storage.mount_point).await?;
+        crate::rpc::cdh_secure_mount("block-device", dev_num, "luks2", &storage.mount_point)
+            .await?;
         set_ownership(logger, storage)?;
         new_device(storage.mount_point.clone())
     } else {
diff --git a/src/libs/protocols/protos/confidential_data_hub.proto b/src/libs/protocols/protos/confidential_data_hub.proto
index 44911f2923..94d3007000 100644
--- a/src/libs/protocols/protos/confidential_data_hub.proto
+++ b/src/libs/protocols/protos/confidential_data_hub.proto
@@ -24,9 +24,7 @@ message SecureMountRequest {
     string mount_point = 4;
 }
 
-message SecureMountResponse {
-    string mount_path = 1;
-}
+message SecureMountResponse {}
 
 message ImagePullRequest {
     // - `image_url`: The reference of the image to pull
diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
index da4e13c89b..b0529155aa 100644
--- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
@@ -329,8 +329,6 @@ coco_guest_components() {
 	mkdir -p "${pause_dir}/rootfs"
 	cp -a "${stage_one}/${pause_dir}"/config.json  "${pause_dir}/."
 	cp -a "${stage_one}/${pause_dir}"/rootfs/pause "${pause_dir}/rootfs/."
-
-	info "TODO: nvidia: luks-encrypt-storage is a bash script, we do not have a shell!"
 }
 
 setup_nvidia_gpu_rootfs_stage_two() {
diff --git a/tools/packaging/static-build/coco-guest-components/Dockerfile b/tools/packaging/static-build/coco-guest-components/Dockerfile
index 79ef04bba2..c0e91231c2 100644
--- a/tools/packaging/static-build/coco-guest-components/Dockerfile
+++ b/tools/packaging/static-build/coco-guest-components/Dockerfile
@@ -25,6 +25,7 @@ RUN apt-get update && \
 	g++ \
 	gcc \
 	git \
+	libcryptsetup-dev \
 	libssl-dev \
 	libtss2-dev \
 	make \
diff --git a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
index 6eaf925ee4..600769ad98 100755
--- a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
+++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
@@ -34,7 +34,6 @@ build_coco_guest_components_from_source() {
 	strip "target/${RUST_ARCH}-unknown-linux-${LIBC}/release/api-server-rest"
 	DESTDIR="${DESTDIR}/usr/local/bin" TEE_PLATFORM=${TEE_PLATFORM} make install
 
-	install -D -m0755 "confidential-data-hub/hub/src/storage/scripts/luks-encrypt-storage" "${DESTDIR}/usr/local/bin/luks-encrypt-storage"
 	install -D -m0644 "confidential-data-hub/hub/src/image/ocicrypt_config.json" "${DESTDIR}/etc/ocicrypt_config.json"
 	popd
 }
diff --git a/versions.yaml b/versions.yaml
index b157afb5e2..cd3f972a29 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -288,7 +288,7 @@ externals:
   coco-guest-components:
     description: "Provides attested key unwrapping for image decryption"
     url: "https://github.com/confidential-containers/guest-components/"
-    version: "9aae2eae6a03ab97d6561bbe74f8b99843836bba"
+    version: "ab95914ac84c32a43102463cc0ae330710af47be"
     toolchain: "1.90.0"
 
   coco-trustee: