diff --git a/src/agent/Makefile b/src/agent/Makefile
index ba065b4d04..a3eb567059 100644
--- a/src/agent/Makefile
+++ b/src/agent/Makefile
@@ -33,6 +33,13 @@ ifeq ($(SECCOMP),yes)
     override EXTRA_RUSTFEATURES += seccomp
 endif
 
+SEALED_SECRET ?= no
+
+# Enable sealed-secret feature of rust build
+ifeq ($(SEALED_SECRET),yes)
+    override EXTRA_RUSTFEATURES += sealed-secret
+endif
+
 include ../../utils.mk
 
 ifeq ($(ARCH), ppc64le)
diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index 92e1632419..538df325ce 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -28,6 +28,8 @@ LIBC=${LIBC:-musl}
 # The kata agent enables seccomp feature.
 # However, it is not enforced by default: you need to enable that in the main configuration file.
 SECCOMP=${SECCOMP:-"yes"}
+# The kata agent enables sealed-secret feature.
+SEALED_SECRET=${SEALED_SECRET:-"no"}
 SELINUX=${SELINUX:-"no"}
 
 lib_file="${script_dir}/../scripts/lib.sh"
@@ -156,6 +158,10 @@ ROOTFS_DIR          Path to the directory that is populated with the rootfs.
 SECCOMP             When set to "no", the kata-agent is built without seccomp capability.
                     Default value: "yes"
 
+SEALED_SECRET       When set to "yes", the kata-agent is built with sealed-secret
+                    capability.
+                    Default value: "no"
+
 SELINUX             When set to "yes", build the rootfs with the required packages to
                     enable SELinux in the VM.
                     Make sure the guest kernel is compiled with SELinux enabled.
@@ -469,6 +475,7 @@ build_rootfs_distro()
 			--env INSIDE_CONTAINER=1 \
 			--env AA_KBC="${AA_KBC}" \
 			--env SECCOMP="${SECCOMP}" \
+			--env SEALED_SECRET="${SEALED_SECRET}" \
 			--env SELINUX="${SELINUX}" \
 			--env DEBUG="${DEBUG}" \
 			--env HOME="/root" \
@@ -630,7 +637,7 @@ EOF
 			git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!"
 		fi
 		make clean
-		make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP}
+		make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} SEALED_SECRET=${SEALED_SECRET}
 		make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT}
 		if [ "${SECCOMP}" == "yes" ]; then
 			rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}"
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 8d1835bdad..afdb149861 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -228,6 +228,7 @@ install_cc_image() {
 	export KATA_BUILD_CC=yes
 	export MEASURED_ROOTFS=yes
 	export DM_VERITY=yes
+	export SEALED_SECRET=yes
 	variant="${1:-}"
 
 	install_image "${variant}"