diff --git a/frameworks/innerkitsimpl/distributeddatafwk/src/itypes_util.cpp b/frameworks/innerkitsimpl/distributeddatafwk/src/itypes_util.cpp
index 19e4d2509a69b4e1b31a062405564c03d77b46f8..0b8a05f303ae4157789cb3876aedbcc886d86456 100644
--- a/frameworks/innerkitsimpl/distributeddatafwk/src/itypes_util.cpp
+++ b/frameworks/innerkitsimpl/distributeddatafwk/src/itypes_util.cpp
@@ -208,10 +208,18 @@ bool ITypesUtil::Marshalling(const DistributedRdb::RdbSyncerParam &param, Messag
         ZLOGE("RdbStoreParam write type failed");
         return false;
     }
+    if (!parcel.WriteUInt8Vector(param.password_)) {
+        ZLOGE("RdbStoreParam write password failed");
+        return false;
+    }
     if (!parcel.WriteBool(param.isAutoSync_)) {
         ZLOGE("RdbStoreParam write auto sync failed");
         return false;
     }
+    if (!parcel.WriteBool(param.isEncrypt_)) {
+        ZLOGE("RdbStoreParam write encrypt sync failed");
+        return false;
+    }
     return true;
 }
 
@@ -241,10 +249,18 @@ bool ITypesUtil::Unmarshalling(DistributedRdb::RdbSyncerParam &param, MessagePar
         ZLOGE("RdbStoreParam read type failed");
         return false;
     }
+    if (!parcel.ReadUInt8Vector(&(param.password_))) {
+        ZLOGE("RdbStoreParam read password failed");
+        return false;
+    }
     if (!parcel.ReadBool(param.isAutoSync_)) {
         ZLOGE("RdbStoreParam read auto sync failed");
         return false;
     }
+    if (!parcel.ReadBool(param.isEncrypt_)) {
+        ZLOGE("RdbStoreParam read encrypt sync failed");
+        return false;
+    }
     return true;
 }
 
diff --git a/frameworks/innerkitsimpl/rdb/include/rdb_types.h b/frameworks/innerkitsimpl/rdb/include/rdb_types.h
index 792fd4bccca4891b03782b1c89120fd0b4658d4c..802f057dc57a0bce6310fe796f7014bf93c47e80 100644
--- a/frameworks/innerkitsimpl/rdb/include/rdb_types.h
+++ b/frameworks/innerkitsimpl/rdb/include/rdb_types.h
@@ -40,6 +40,8 @@ struct RdbSyncerParam {
     int32_t level_ = 0;
     int32_t type_ = RDB_DEVICE_COLLABORATION;
     bool isAutoSync_ = false;
+    bool isEncrypt_ = false;
+    std::vector<uint8_t> password_;
 };
 
 enum SyncMode {
diff --git a/frameworks/innerkitsimpl/rdb/src/rdb_service_proxy.cpp b/frameworks/innerkitsimpl/rdb/src/rdb_service_proxy.cpp
index 078b8f590493d3676200de25d689b2fe7ed32fb4..ec33e9851b1ed20aeb6570388deb18a71d6910fa 100644
--- a/frameworks/innerkitsimpl/rdb/src/rdb_service_proxy.cpp
+++ b/frameworks/innerkitsimpl/rdb/src/rdb_service_proxy.cpp
@@ -211,6 +211,11 @@ int32_t RdbServiceProxy::DoAsync(const RdbSyncerParam& param, const SyncOption &
 int32_t RdbServiceProxy::SetDistributedTables(const RdbSyncerParam& param, const std::vector<std::string> &tables)
 {
     MessageParcel data;
+    ZLOGE("wwwk %{public}d",param.isEncrypt_);
+    for(auto i:param.password_){
+        ZLOGE("wwwk = %{public}u",i);
+    }
+    ZLOGE("wwk = %{public}d",param.password_.size());
     if (!data.WriteInterfaceToken(IRdbService::GetDescriptor())) {
         ZLOGE("write descriptor failed");
         return RDB_ERROR;
diff --git a/services/distributeddataservice/service/rdb/rdb_service_impl.cpp b/services/distributeddataservice/service/rdb/rdb_service_impl.cpp
index b12900dd16c9c9cfb5c0b32a6b841b8fd1ef640e..efe93be4244a9f0fa94b39261731c53af0d7cef2 100644
--- a/services/distributeddataservice/service/rdb/rdb_service_impl.cpp
+++ b/services/distributeddataservice/service/rdb/rdb_service_impl.cpp
@@ -202,6 +202,10 @@ void RdbServiceImpl::SyncerTimeout(std::shared_ptr<RdbSyncer> syncer)
 
 std::shared_ptr<RdbSyncer> RdbServiceImpl::GetRdbSyncer(const RdbSyncerParam &param)
 {
+    for(auto i:param.password_){
+        ZLOGE("wwwk = %{public}u",i);
+    }
+    ZLOGE("wwk = %{public}d",param.password_.size());
     pid_t pid = GetCallingPid();
     pid_t uid = GetCallingUid();
     uint32_t tokenId = GetCallingTokenID();
@@ -211,10 +215,13 @@ std::shared_ptr<RdbSyncer> RdbServiceImpl::GetRdbSyncer(const RdbSyncerParam &pa
         auto it = syncers.find(storeId);
         if (it != syncers.end()) {
             syncer = it->second;
-            timer_.Unregister(syncer->GetTimerId());
-            uint32_t timerId = timer_.Register([this, syncer]() { SyncerTimeout(syncer); }, SYNCER_TIMEOUT, true);
-            syncer->SetTimerId(timerId);
-            return true;
+            if(!param.isEncrypt_ || param.password_.empty()){
+                timer_.Unregister(syncer->GetTimerId());
+                uint32_t timerId = timer_.Register([this, syncer]() { SyncerTimeout(syncer); }, SYNCER_TIMEOUT, true);
+                syncer->SetTimerId(timerId);
+                return true; 
+            }
+            syncers.erase(storeId); 
         }
         if (syncers.size() >= MAX_SYNCER_PER_PROCESS) {
             ZLOGE("%{public}d exceed MAX_PROCESS_SYNCER_NUM", pid);
diff --git a/services/distributeddataservice/service/rdb/rdb_service_stub.cpp b/services/distributeddataservice/service/rdb/rdb_service_stub.cpp
index 9dca63d51476b0e9a5c52b1af9b2922a602f741c..76a71a0ecbfe2548decd1695bc03d0cd72cf7669 100644
--- a/services/distributeddataservice/service/rdb/rdb_service_stub.cpp
+++ b/services/distributeddataservice/service/rdb/rdb_service_stub.cpp
@@ -68,7 +68,10 @@ int32_t RdbServiceStub::OnRemoteSetDistributedTables(MessageParcel &data, Messag
         reply.WriteInt32(RDB_ERROR);
         return RDB_OK;
     }
-
+    for(auto i:param.password_){
+        ZLOGE("wwwk = %{public}u",i);
+    }
+    ZLOGE("wwk = %{public}d",param.password_.size());
     reply.WriteInt32(SetDistributedTables(param, tables));
     return RDB_OK;
 }
diff --git a/services/distributeddataservice/service/rdb/rdb_syncer.cpp b/services/distributeddataservice/service/rdb/rdb_syncer.cpp
index ae012d33220c5af3ccf547ef4f234c44ea27f841..68007f3da44f25af683b68902450aea35ba4e3cb 100644
--- a/services/distributeddataservice/service/rdb/rdb_syncer.cpp
+++ b/services/distributeddataservice/service/rdb/rdb_syncer.cpp
@@ -15,9 +15,12 @@
 #define LOG_TAG "RdbSyncer"
 #include "rdb_syncer.h"
 
+#include <chrono>
+
 #include "accesstoken_kit.h"
 #include "account/account_delegate.h"
 #include "checker/checker_manager.h"
+#include "crypto_manager.h"
 #include "directory_manager.h"
 #include "kvstore_utils.h"
 #include "log_print.h"
@@ -34,6 +37,7 @@ using OHOS::DistributedKv::AccountDelegate;
 using OHOS::AppDistributedKv::CommunicationProvider;
 using namespace OHOS::Security::AccessToken;
 using namespace OHOS::DistributedData;
+using system_clock = std::chrono::system_clock;
 namespace OHOS::DistributedRdb {
 RdbSyncer::RdbSyncer(const RdbSyncerParam& param, RdbStoreObserverImpl* observer)
     : param_(param), observer_(observer)
@@ -43,6 +47,7 @@ RdbSyncer::RdbSyncer(const RdbSyncerParam& param, RdbStoreObserverImpl* observer
 
 RdbSyncer::~RdbSyncer() noexcept
 {
+    param_.password_.assign(param_.password_.size(), 0);
     ZLOGI("destroy %{public}s", param_.storeName_.c_str());
     if ((manager_ != nullptr) && (delegate_ != nullptr)) {
         manager_->CloseStore(delegate_);
@@ -99,6 +104,9 @@ int32_t RdbSyncer::Init(pid_t pid, pid_t uid, uint32_t token)
     pid_ = pid;
     uid_ = uid;
     token_ = token;
+    for(auto i:param_.password_){
+        ZLOGE("wwwk = %{public}u",i);
+    }
     StoreMetaData meta;
     if (CreateMetaData(meta) != RDB_OK) {
         ZLOGE("create meta data failed");
@@ -129,6 +137,7 @@ int32_t RdbSyncer::CreateMetaData(StoreMetaData &meta)
     meta.hapName = param_.hapName_;
     meta.dataDir = DirectoryManager::GetInstance().GetStorePath(meta) + "/" + param_.storeName_;
     meta.account = AccountDelegate::GetInstance()->GetCurrentAccountId();
+    meta.isEncrypt = param_.isEncrypt_;
 
     StoreMetaData old;
     bool isCreated = MetaDataManager::GetInstance().LoadMeta(meta.GetKey(), old);
@@ -140,13 +149,51 @@ int32_t RdbSyncer::CreateMetaData(StoreMetaData &meta)
             meta.isEncrypt, old.area, meta.area);
         return RDB_ERROR;
     }
-
     auto saved = MetaDataManager::GetInstance().SaveMeta(meta.GetKey(), meta);
     AppIDMetaData appIdMeta;
     appIdMeta.bundleName = meta.bundleName;
     appIdMeta.appId = meta.appId;
     saved = MetaDataManager::GetInstance().SaveMeta(appIdMeta.GetKey(), appIdMeta, true);
-    return saved ? RDB_OK : RDB_ERROR;
+    if(!saved){
+        ZLOGE("wwwk saved ERROR");
+        return RDB_ERROR;
+    }
+    if(!param_.isEncrypt_ || param_.password_.empty()){
+        ZLOGE("wwwk password empty");
+        return RDB_OK;
+    }
+    SecretKeyMetaData newSecretKey;
+    newSecretKey.storeType = meta.storeType;
+    newSecretKey.sKey = CryptoManager::GetInstance().Encrypt(param_.password_);
+    if(newSecretKey.sKey.empty()){
+        ZLOGE("encrypt work key error.");
+        return RDB_ERROR;
+    }
+    param_.password_.assign(param_.password_.size(), 0);
+    auto time = system_clock::to_time_t(system_clock::now());
+    newSecretKey.time = { reinterpret_cast<uint8_t *>(&time), reinterpret_cast<uint8_t *>(&time) + sizeof(time) };
+    auto secretkey_saved = MetaDataManager::GetInstance().SaveMeta(meta.GetSecretKey(), newSecretKey, true);
+    return secretkey_saved ? RDB_OK : RDB_ERROR;
+}
+
+bool RdbSyncer::GetPassword(const StoreMetaData &metaData, DistributedDB::CipherPassword &password)
+{
+    if (!metaData.isEncrypt) {
+        return true;
+    }
+
+    std::string key = metaData.GetSecretKey();
+    DistributedData::SecretKeyMetaData secretKeyMeta;
+    MetaDataManager::GetInstance().LoadMeta(key, secretKeyMeta, true);
+    std::vector<uint8_t> decryptKey;
+    CryptoManager::GetInstance().Decrypt(secretKeyMeta.sKey, decryptKey);
+    if (password.SetValue(decryptKey.data(), decryptKey.size()) != DistributedDB::CipherPassword::OK) {
+        std::fill(decryptKey.begin(), decryptKey.end(), 0);
+        ZLOGE("Set secret key value failed. len is (%d)", int32_t(decryptKey.size()));
+        return false;
+    }
+    std::fill(decryptKey.begin(), decryptKey.end(), 0);
+    return true;
 }
 
 std::string RdbSyncer::RemoveSuffix(const std::string& name)
@@ -172,7 +219,11 @@ int32_t RdbSyncer::InitDBDelegate(const StoreMetaData &meta)
 
     if (delegate_ == nullptr) {
         DistributedDB::RelationalStoreDelegate::Option option;
+        DistributedDB::CipherPassword password;
+        GetPassword(meta, password);
         option.observer = observer_;
+        option.passwd = password;
+        option.isEncryptedDb = param_.isEncrypt_;
         std::string fileName = meta.dataDir;
         ZLOGI("path=%{public}s storeId=%{public}s", fileName.c_str(), meta.storeId.c_str());
         auto status = manager_->OpenStore(fileName, meta.storeId, option, delegate_);
diff --git a/services/distributeddataservice/service/rdb/rdb_syncer.h b/services/distributeddataservice/service/rdb/rdb_syncer.h
index ace960b0db0a8ddc74994a79970406e33ba62261..cb48ddc805e0a0e0042df47168a94d801507bc1e 100644
--- a/services/distributeddataservice/service/rdb/rdb_syncer.h
+++ b/services/distributeddataservice/service/rdb/rdb_syncer.h
@@ -25,10 +25,12 @@
 #include "rdb_types.h"
 #include "relational_store_delegate.h"
 #include "relational_store_manager.h"
+#include "metadata/secret_key_meta_data.h"
 namespace OHOS::DistributedRdb {
 class RdbSyncer {
 public:
     using StoreMetaData = OHOS::DistributedData::StoreMetaData;
+    using SecretKeyMetaData = DistributedData::SecretKeyMetaData;
     RdbSyncer(const RdbSyncerParam& param, RdbStoreObserverImpl* observer);
     ~RdbSyncer() noexcept;
 
@@ -65,6 +67,7 @@ private:
 
     int32_t CreateMetaData(StoreMetaData &meta);
     int32_t InitDBDelegate(const StoreMetaData &meta);
+    bool GetPassword(const StoreMetaData &metaData, DistributedDB::CipherPassword &password);
 
     DistributedDB::RelationalStoreDelegate* GetDelegate();