diff --git a/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp b/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp
index db55850b0..8528473e0 100644
--- a/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp
+++ b/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp
@@ -47,14 +47,6 @@ const unsigned char *AeadAesHamcEncKey::g_iv_key_salt_format =
 
 const int RAND_COUNT = 100;
 
-void HmacCtxGroup::free_hmac_ctx(HMAC_CTX** ctx_tmp) const
-{
-    if (*ctx_tmp != NULL) {
-        HMAC_CTX_free(*ctx_tmp);
-        *ctx_tmp = NULL;
-    }
-}
-
 /* Derives all the required keys from the given root key */
 AeadAesHamcEncKey::AeadAesHamcEncKey(unsigned char *root_key, size_t root_key_size)
 {
diff --git a/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp b/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp
index 350e9898d..a1c1f27a3 100644
--- a/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp
+++ b/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp
@@ -161,6 +161,13 @@ CmkemErrCode encrypt_with_sm2_pubkey(CmkemUStr *plain, CmkemUStr *pub_key, Cmkem
         return CMKEM_EVP_ERR;
     }
 
+    ret = EVP_PKEY_set_alias_type(public_evp_key, EVP_PKEY_SM2);
+    if (ret != 1) {
+        cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
+        EVP_PKEY_free(public_evp_key);
+        return CMKEM_EVP_ERR;
+    }
+
     /* do cipher. */
     ctx = EVP_PKEY_CTX_new(public_evp_key, NULL);
     EVP_PKEY_free(public_evp_key);
@@ -244,6 +251,13 @@ CmkemErrCode decrypt_with_sm2_privkey(CmkemUStr *cipher, CmkemUStr *priv_key, Cm
         return CMKEM_EVP_ERR;
     }
 
+    ret = EVP_PKEY_set_alias_type(private_evp_key, EVP_PKEY_SM2);
+    if (ret != 1) {
+        cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
+        EVP_PKEY_free(private_evp_key);
+        return CMKEM_EVP_ERR;
+    }
+
     /* do cipher. */
     ctx = EVP_PKEY_CTX_new(private_evp_key, NULL);
     EVP_PKEY_free(private_evp_key);
diff --git a/src/gausskernel/security/keymgr/localkms/security_localkms.cpp b/src/gausskernel/security/keymgr/localkms/security_localkms.cpp
index 69f8ae440..079031f69 100644
--- a/src/gausskernel/security/keymgr/localkms/security_localkms.cpp
+++ b/src/gausskernel/security/keymgr/localkms/security_localkms.cpp
@@ -45,7 +45,7 @@
 const int MAX_KEY_PATH_LEN = 64;
 const int MIN_KEY_PATH_LEN = 1;
 
-static const char *g_support_algo[] = {"RSA_3072", "SM2", NULL};
+static const char *g_support_algo[] = {"RSA_2048", "RSA_3072", "SM2", NULL};
 
 LocalKmsMgr *localkms_new(KmErr *err)
 {
@@ -427,7 +427,7 @@ void kms_mk_create(KeyMgr *kmgr, KeyInfo info)
 
     switch (get_algo_by_str(info.algo)) {
         case AT_RSA_2048:
-            km_err_msg(kms->kmgr.err, "rsa_2048 is not safe now, please use rsa_3072 instead.");
+            ret = create_and_write_rsa_key_pair(info.id, RSA2048_KEN_LEN);
             return;
         case AT_RSA_3072:
             ret = create_and_write_rsa_key_pair(info.id, RSA3072_KEN_LEN);
@@ -493,11 +493,6 @@ char *kms_mk_select(KeyMgr *kmgr, KeyInfo info)
         return NULL;
     }
 
-    if (strcasecmp(info.algo, "RSA_2048") == 0) {
-        km_err_msg(kms->kmgr.err, "rsa_2048 is not safe now, please use rsa_3072 instead.");
-        return NULL;
-    }
-
     ret = check_cmk_algo_validity(info.algo);
     if (ret != CMKEM_SUCCEED) {
         km_err_msg(kms->kmgr.err, "%s", get_cmkem_errmsg(ret));
@@ -518,9 +513,8 @@ KmUnStr kms_mk_encrypt(KeyMgr *kmgr, KeyInfo info, KmUnStr plain)
 
     switch (get_algo_by_str(info.algo)) {
         case AT_RSA_2048:
-            km_err_msg(kms->kmgr.err, "the algorithm of master key is rsa_2048, but rsa_2048 is not safe now, "
-                "please create new master key with rsa_3072.");
-            return cipher;
+            ret = encrypt_cek_with_rsa(&_plain, info.id, &_cipher);
+            break;
         case AT_RSA_3072:
             ret = encrypt_cek_with_rsa(&_plain, info.id, &_cipher);
             break;
@@ -551,7 +545,7 @@ KmUnStr kms_mk_decrypt(KeyMgr *kmgr, KeyInfo info, KmUnStr cipher)
     CmkemUStr *_plain = NULL;
 
     switch (get_algo_by_str(info.algo)) {
-        case AT_RSA_2048: /* only decrypt the existing data encrypted by old version of opengauss */
+        case AT_RSA_2048:
         case AT_RSA_3072:
             ret = decrypt_cek_with_rsa(&_cipher, info.id, &_plain);
             break;
diff --git a/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h b/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h
index b66c0307d..d556ab459 100644
--- a/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h
+++ b/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h
@@ -49,7 +49,13 @@ public:
     HMAC_CTX* ctx_worker;
     HMAC_CTX* ctx_template;
 private:
-    void free_hmac_ctx(HMAC_CTX** ctx_tmp) const;
+    void free_hmac_ctx(HMAC_CTX** ctx_tmp)
+    {
+        if (*ctx_tmp != NULL) {
+            HMAC_CTX_free(*ctx_tmp);
+            *ctx_tmp = NULL;
+        }
+    }
 };
 
 /*