diff --git a/include/common/tglobal.h b/include/common/tglobal.h
index 0d884d419e..0f3d255a93 100644
--- a/include/common/tglobal.h
+++ b/include/common/tglobal.h
@@ -103,8 +103,9 @@ extern int64_t tsDndStartOsUptime;
 extern int64_t tsDndUpTime;
 
 // dnode misc
-extern int8_t tsEncryptionKeyStat;
-extern int8_t tsGrant;
+extern uint32_t tsEncryptionKeyChksum;
+extern int8_t   tsEncryptionKeyStat;
+extern int8_t   tsGrant;
 
 // monitor
 extern bool     tsEnableMonitor;
diff --git a/include/common/tmsg.h b/include/common/tmsg.h
index e33c106c22..7ea3b6ea8a 100644
--- a/include/common/tmsg.h
+++ b/include/common/tmsg.h
@@ -1493,14 +1493,15 @@ void    tFreeSFuncInfo(SFuncInfo* pInfo);
 void    tFreeSRetrieveFuncRsp(SRetrieveFuncRsp* pRsp);
 
 typedef struct {
-  int32_t statusInterval;
-  int64_t checkTime;                  // 1970-01-01 00:00:00.000
-  char    timezone[TD_TIMEZONE_LEN];  // tsTimezone
-  char    locale[TD_LOCALE_LEN];      // tsLocale
-  char    charset[TD_LOCALE_LEN];     // tsCharset
-  int8_t  ttlChangeOnWrite;
-  int8_t  enableWhiteList;
-  int8_t  encryptionKeyStat;
+  int32_t  statusInterval;
+  int64_t  checkTime;                  // 1970-01-01 00:00:00.000
+  char     timezone[TD_TIMEZONE_LEN];  // tsTimezone
+  char     locale[TD_LOCALE_LEN];      // tsLocale
+  char     charset[TD_LOCALE_LEN];     // tsCharset
+  int8_t   ttlChangeOnWrite;
+  int8_t   enableWhiteList;
+  int8_t   encryptionKeyStat;
+  uint32_t encryptionKeyChksum;
 } SClusterCfg;
 
 typedef struct {
diff --git a/source/common/src/tglobal.c b/source/common/src/tglobal.c
index 0479c65962..f9238ea7c6 100644
--- a/source/common/src/tglobal.c
+++ b/source/common/src/tglobal.c
@@ -91,8 +91,9 @@ int64_t tsDndStartOsUptime = 0;
 int64_t tsDndUpTime = 0;
 
 // dnode misc
-int8_t tsEncryptionKeyStat = 0;
-int8_t tsGrant = 1;
+uint32_t tsEncryptionKeyChksum = 0;
+int8_t   tsEncryptionKeyStat = ENCRYPT_KEY_STAT_LOADED; //ENCRYPT_KEY_STAT_UNKNOWN;
+int8_t   tsGrant = 1;
 
 // monitor
 bool     tsEnableMonitor = true;
diff --git a/source/common/src/tmsg.c b/source/common/src/tmsg.c
index 96c3108e2a..f959c3b4df 100644
--- a/source/common/src/tmsg.c
+++ b/source/common/src/tmsg.c
@@ -1178,6 +1178,7 @@ int32_t tSerializeSStatusReq(void *buf, int32_t bufLen, SStatusReq *pReq) {
   if (tEncodeCStr(&encoder, pReq->clusterCfg.charset) < 0) return -1;
   if (tEncodeI8(&encoder, pReq->clusterCfg.enableWhiteList) < 0) return -1;
   if (tEncodeI8(&encoder, pReq->clusterCfg.encryptionKeyStat) < 0) return -1;
+  if (tEncodeU32(&encoder, pReq->clusterCfg.encryptionKeyChksum) < 0) return -1;
 
   // vnode loads
   int32_t vlen = (int32_t)taosArrayGetSize(pReq->pVloads);
@@ -1271,6 +1272,7 @@ int32_t tDeserializeSStatusReq(void *buf, int32_t bufLen, SStatusReq *pReq) {
   if (tDecodeCStrTo(&decoder, pReq->clusterCfg.charset) < 0) return -1;
   if (tDecodeI8(&decoder, &pReq->clusterCfg.enableWhiteList) < 0) return -1;
   if (tDecodeI8(&decoder, &pReq->clusterCfg.encryptionKeyStat) < 0) return -1;
+  if (tDecodeU32(&decoder, &pReq->clusterCfg.encryptionKeyChksum) < 0) return -1;
 
   // vnode loads
   int32_t vlen = 0;
diff --git a/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c b/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c
index c67c4adbbb..f6783556eb 100644
--- a/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c
+++ b/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c
@@ -114,6 +114,8 @@ void dmSendStatusReq(SDnodeMgmt *pMgmt) {
   req.clusterCfg.ttlChangeOnWrite = tsTtlChangeOnWrite;
   req.clusterCfg.enableWhiteList = tsEnableWhiteList ? 1 : 0;
   req.clusterCfg.encryptionKeyStat = tsEncryptionKeyStat;  // ENCRYPT_TODO
+  req.clusterCfg.encryptionKeyChksum =  tsEncryptionKeyChksum; // ENCRYPT_TODO
+  //     pMgmt->pData->dnodeId == 1 ? 0 : pMgmt->pData->dnodeId + 10;  // tsEncryptionKeyChksum; // ENCRYPT_TODO
   char timestr[32] = "1970-01-01 00:00:00.00";
   (void)taosParseTime(timestr, &req.clusterCfg.checkTime, (int32_t)strlen(timestr), TSDB_TIME_PRECISION_MILLI, 0);
   memcpy(req.clusterCfg.timezone, tsTimezoneStr, TD_TIMEZONE_LEN);
diff --git a/source/dnode/mnode/impl/inc/mndDef.h b/source/dnode/mnode/impl/inc/mndDef.h
index 7389cde27c..a1ffb4a7a9 100644
--- a/source/dnode/mnode/impl/inc/mndDef.h
+++ b/source/dnode/mnode/impl/inc/mndDef.h
@@ -215,7 +215,9 @@ typedef struct {
   int64_t    memAvail;
   int64_t    memUsed;
   EDndReason offlineReason;
+  uint32_t   encryptionKeyChksum;
   int8_t     encryptionKeyStat;
+  int8_t     reboot;
   uint16_t   port;
   char       fqdn[TSDB_FQDN_LEN];
   char       ep[TSDB_EP_LEN];
diff --git a/source/dnode/mnode/impl/src/mndDb.c b/source/dnode/mnode/impl/src/mndDb.c
index a6027aae2e..81f82fa0be 100644
--- a/source/dnode/mnode/impl/src/mndDb.c
+++ b/source/dnode/mnode/impl/src/mndDb.c
@@ -778,22 +778,36 @@ static int32_t mndCheckDbEncryptKey(SMnode *pMnode, SCreateDbReq *pReq) {
   SDnodeObj *pDnode = NULL;
   void      *pIter = NULL;
 
+#ifdef TD_ENTERPRISE
   if (pReq->encryptAlgorithm == TSDB_ENCRYPT_ALGO_NONE) goto _exit;
   if (tsEncryptionKeyStat != ENCRYPT_KEY_STAT_LOADED) {
     code = TSDB_CODE_MND_INVALID_ENCRYPT_KEY;
+    mError("db:%s, failed to check encryption key:%" PRIi8 " in mnode leader since it's not loaded", pReq->db,
+           tsEncryptionKeyStat);
     goto _exit;
   }
 
   int64_t curMs = taosGetTimestampMs();
   while ((pIter = sdbFetch(pSdb, SDB_DNODE, pIter, (void **)&pDnode))) {
     bool online = false;
-    if (pDnode->encryptionKeyStat != tsEncryptionKeyStat && (online = mndIsDnodeOnline(pDnode, curMs))) {
+    if ((pDnode->encryptionKeyStat != tsEncryptionKeyStat || pDnode->encryptionKeyChksum != tsEncryptionKeyChksum) &&
+        (online = mndIsDnodeOnline(pDnode, curMs))) {
       code = TSDB_CODE_MND_INVALID_ENCRYPT_KEY;
+      mError("db:%s, failed to check encryption key:%" PRIi8
+             "-%u in dnode:%d since it's inconsitent with mnode leader:%" PRIi8 "-%u",
+             pReq->db, pDnode->encryptionKeyStat, pDnode->encryptionKeyChksum, pDnode->id, tsEncryptionKeyStat,
+             tsEncryptionKeyChksum);
       sdbRelease(pSdb, pDnode);
       break;
     }
     sdbRelease(pSdb, pDnode);
   }
+#else
+  if (pReq->encryptAlgorithm != TSDB_ENCRYPT_ALGO_NONE) {
+    code = TSDB_CODE_MND_INVALID_DB_OPTION;
+    goto _exit;
+  }
+#endif
 _exit:
   return code;
 }
diff --git a/source/dnode/mnode/impl/src/mndDnode.c b/source/dnode/mnode/impl/src/mndDnode.c
index 6641ed6946..b6b53dac03 100644
--- a/source/dnode/mnode/impl/src/mndDnode.c
+++ b/source/dnode/mnode/impl/src/mndDnode.c
@@ -36,7 +36,7 @@
 #define TSDB_DNODE_RESERVE_SIZE 40
 
 static const char *offlineReason[] = {
-    "",
+    "online",
     "status msg timeout",
     "status not received",
     "version not match",
@@ -374,8 +374,8 @@ int32_t mndGetDbSize(SMnode *pMnode) {
 bool mndIsDnodeOnline(SDnodeObj *pDnode, int64_t curMs) {
   int64_t interval = TABS(pDnode->lastAccessTime - curMs);
   if (interval > 5000 * (int64_t)tsStatusInterval) {
-    if (pDnode->rebootTime > 0) {
-      pDnode->offlineReason = DND_REASON_STATUS_MSG_TIMEOUT;
+    if (pDnode->rebootTime > 0 && pDnode->offlineReason != DND_REASON_STATUS_MSG_TIMEOUT) {
+      if (!pDnode->reboot) pDnode->offlineReason = DND_REASON_STATUS_MSG_TIMEOUT;
     }
     return false;
   }
@@ -468,9 +468,9 @@ static int32_t mndCheckClusterCfgPara(SMnode *pMnode, SDnodeObj *pDnode, const S
     return DND_REASON_ENABLE_WHITELIST_NOT_MATCH;
   }
 
-  if (pCfg->encryptionKeyStat != tsEncryptionKeyStat) {
-    mError("dnode:%d, encryptionKey:%d inconsistent with cluster:%d", pDnode->id, pCfg->encryptionKeyStat,
-           tsEncryptionKeyStat);
+  if (pCfg->encryptionKeyStat != tsEncryptionKeyStat || pCfg->encryptionKeyChksum != tsEncryptionKeyChksum) {
+    mError("dnode:%d, encryptionKey:%" PRIi8 "-%u inconsistent with cluster:%" PRIi8 "-%u", pDnode->id,
+           pCfg->encryptionKeyStat, pCfg->encryptionKeyChksum, tsEncryptionKeyStat, tsEncryptionKeyChksum);
     return DND_REASON_ENCRYPTION_KEY_NOT_MATCH;
   }
 
@@ -813,6 +813,7 @@ static int32_t mndProcessStatusReq(SRpcMsg *pReq) {
   if (reboot) {
     tsGrantHBInterval = GRANT_HEART_BEAT_MIN;
   }
+  pDnode->reboot = reboot;
 
   for (int32_t v = 0; v < taosArrayGetSize(statusReq.pVloads); ++v) {
     SVnodeLoad *pVload = taosArrayGet(statusReq.pVloads, v);
@@ -917,6 +918,8 @@ static int32_t mndProcessStatusReq(SRpcMsg *pReq) {
     pDnode->numOfDiskCfg = statusReq.numOfDiskCfg;
     pDnode->memAvail = statusReq.memAvail;
     pDnode->memTotal = statusReq.memTotal;
+    pDnode->encryptionKeyStat = statusReq.clusterCfg.encryptionKeyStat;
+    pDnode->encryptionKeyChksum = statusReq.clusterCfg.encryptionKeyChksum;
     if (memcmp(pDnode->machineId, statusReq.machineId, TSDB_MACHINE_ID_LEN) != 0) {
       tstrncpy(pDnode->machineId, statusReq.machineId, TSDB_MACHINE_ID_LEN + 1);
       mndUpdateDnodeObj(pMnode, pDnode);
diff --git a/source/libs/parser/src/parTranslater.c b/source/libs/parser/src/parTranslater.c
index ea4e91f3e7..778e3cf606 100644
--- a/source/libs/parser/src/parTranslater.c
+++ b/source/libs/parser/src/parTranslater.c
@@ -10919,6 +10919,7 @@ static int32_t rewriteQuery(STranslateContext* pCxt, SQuery* pQuery) {
     case QUERY_NODE_SHOW_GRANTS_LOGS_STMT:
     case QUERY_NODE_SHOW_CLUSTER_MACHINES_STMT:
     case QUERY_NODE_SHOW_ARBGROUPS_STMT:
+    case QUERY_NODE_SHOW_ENCRYPTIONS_STMT:
       code = rewriteShow(pCxt, pQuery);
       break;
     case QUERY_NODE_SHOW_VGROUPS_STMT: