diff --git a/.gitignore b/.gitignore
index 2dec331dd..bab6f8af3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 build/*
 .vscode/*
 .*/*\!.github
+CMakeUserPresets.json
diff --git a/include/aos/common/crypto/crypto.hpp b/include/aos/common/crypto/crypto.hpp
index b8e430286..cfbc9f28f 100644
--- a/include/aos/common/crypto/crypto.hpp
+++ b/include/aos/common/crypto/crypto.hpp
@@ -296,6 +296,33 @@ class RandomItf {
     virtual ~RandomItf() = default;
 };
 
+/***
+ * UUID generator interface.
+ */
+class UUIDItf {
+public:
+    /**
+     * Creates UUID v4.
+     *
+     * @return RetWithError<uuid::UUID>.
+     */
+    virtual RetWithError<uuid::UUID> CreateUUIDv4() = 0;
+
+    /**
+     * Creates UUID version 5 based on a given namespace identifier and name.
+     *
+     * @param space namespace identifier.
+     * @param name name.
+     * @result RetWithError<uuid::UUID>.
+     */
+    virtual RetWithError<uuid::UUID> CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name) = 0;
+
+    /**
+     * Destructor.
+     */
+    virtual ~UUIDItf() = default;
+};
+
 /**
  * Options being used while signing.
  */
@@ -700,15 +727,6 @@ class ProviderItf {
      */
     virtual Error ASN1DecodeOID(const Array<uint8_t>& inOID, Array<uint8_t>& dst) = 0;
 
-    /**
-     * Creates UUID version 5 based on a given namespace identifier and name.
-     *
-     * @param space namespace identifier.
-     * @param name name.
-     * @result RetWithError<uuid::UUID>.
-     */
-    virtual RetWithError<uuid::UUID> CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name) = 0;
-
     /**
      * Destroys object instance.
      */
@@ -721,6 +739,18 @@ class ProviderItf {
 using CertificateChain = StaticArray<Certificate, cCertChainSize>;
 
 } // namespace x509
+
+/**
+ * Crypto provider interface.
+ */
+class CryptoProviderItf : public x509::ProviderItf, public HasherItf, public RandomItf, public UUIDItf {
+public:
+    /**
+     * Destructor.
+     */
+    virtual ~CryptoProviderItf() = default;
+};
+
 } // namespace aos::crypto
 
 #endif
diff --git a/include/aos/common/crypto/mbedtls/cryptoprovider.hpp b/include/aos/common/crypto/mbedtls/cryptoprovider.hpp
index 9290c0938..30775003b 100644
--- a/include/aos/common/crypto/mbedtls/cryptoprovider.hpp
+++ b/include/aos/common/crypto/mbedtls/cryptoprovider.hpp
@@ -22,7 +22,7 @@ namespace aos::crypto {
 /**
  * MbedTLSCryptoProvider provider.
  */
-class MbedTLSCryptoProvider : public x509::ProviderItf, public HasherItf, public RandomItf {
+class MbedTLSCryptoProvider : public CryptoProviderItf {
 public:
     /**
      * Initializes the object.
@@ -164,15 +164,6 @@ class MbedTLSCryptoProvider : public x509::ProviderItf, public HasherItf, public
      */
     Error ASN1DecodeOID(const Array<uint8_t>& inOID, Array<uint8_t>& dst) override;
 
-    /**
-     * Creates UUID version 5 based on a given namespace identifier and name.
-     *
-     * @param space namespace identifier.
-     * @param name name.
-     * @result RetWithError<uuid::UUID>.
-     */
-    RetWithError<uuid::UUID> CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name) override;
-
     /**
      * Creates hash instance.
      *
@@ -198,6 +189,22 @@ class MbedTLSCryptoProvider : public x509::ProviderItf, public HasherItf, public
      */
     Error RandBuffer(Array<uint8_t>& buffer, size_t size) override;
 
+    /**
+     * Creates UUID v4.
+     *
+     * @return RetWithError<uuid::UUID>.
+     */
+    RetWithError<uuid::UUID> CreateUUIDv4() override;
+
+    /**
+     * Creates UUID version 5 based on a given namespace identifier and name.
+     *
+     * @param space namespace identifier.
+     * @param name name.
+     * @result RetWithError<uuid::UUID>.
+     */
+    RetWithError<uuid::UUID> CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name) override;
+
 private:
     class MBedTLSHash : public crypto::HashItf, private NonCopyable {
     public:
diff --git a/include/aos/common/crypto/openssl/cryptoprovider.hpp b/include/aos/common/crypto/openssl/cryptoprovider.hpp
index 9888552df..29500c513 100644
--- a/include/aos/common/crypto/openssl/cryptoprovider.hpp
+++ b/include/aos/common/crypto/openssl/cryptoprovider.hpp
@@ -17,7 +17,7 @@ namespace aos::crypto {
 /**
  * OpenSSLCryptoProvider provider.
  */
-class OpenSSLCryptoProvider : public x509::ProviderItf, public HasherItf, public RandomItf {
+class OpenSSLCryptoProvider : public CryptoProviderItf {
 public:
     /**
      * Destructor.
@@ -164,15 +164,6 @@ class OpenSSLCryptoProvider : public x509::ProviderItf, public HasherItf, public
      */
     Error ASN1DecodeOID(const Array<uint8_t>& inOID, Array<uint8_t>& dst) override;
 
-    /**
-     * Creates UUID version 5 based on a given namespace identifier and name.
-     *
-     * @param space namespace identifier.
-     * @param name name.
-     * @result RetWithError<uuid::UUID>.
-     */
-    RetWithError<uuid::UUID> CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name) override;
-
     /**
      * Creates hash instance.
      *
@@ -198,6 +189,22 @@ class OpenSSLCryptoProvider : public x509::ProviderItf, public HasherItf, public
      */
     Error RandBuffer(Array<uint8_t>& buffer, size_t size = 0) override;
 
+    /**
+     * Creates UUID v4.
+     *
+     * @return RetWithError<uuid::UUID>.
+     */
+    RetWithError<uuid::UUID> CreateUUIDv4() override;
+
+    /**
+     * Creates UUID version 5 based on a given namespace identifier and name.
+     *
+     * @param space namespace identifier.
+     * @param name name.
+     * @result RetWithError<uuid::UUID>.
+     */
+    RetWithError<uuid::UUID> CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name) override;
+
 private:
     class OpenSSLHash : public crypto::HashItf, private NonCopyable {
     public:
diff --git a/include/aos/common/tools/uuid.hpp b/include/aos/common/tools/uuid.hpp
index 48c3f9110..c77764e40 100644
--- a/include/aos/common/tools/uuid.hpp
+++ b/include/aos/common/tools/uuid.hpp
@@ -28,13 +28,6 @@ constexpr auto cUUIDLen = AOS_CONFIG_TOOLS_UUID_LEN;
  */
 using UUID = StaticArray<uint8_t, cUUIDSize>;
 
-/**
- * Creates unique UUID.
- *
- * @return UUID.
- */
-UUID CreateUUID();
-
 /**
  * Converts UUID to string.
  *
diff --git a/include/aos/iam/certmodules/pkcs11/pkcs11.hpp b/include/aos/iam/certmodules/pkcs11/pkcs11.hpp
index ad5bf3b0f..7b6fce245 100644
--- a/include/aos/iam/certmodules/pkcs11/pkcs11.hpp
+++ b/include/aos/iam/certmodules/pkcs11/pkcs11.hpp
@@ -73,11 +73,11 @@ class PKCS11Module : public HSMItf {
      * @param certType certificate type.
      * @param config module configuration.
      * @param pkcs11 reference to pkcs11 library context.
-     * @param x509Provider reference to x509 crypto interface.
+     * @param cryptoProvider reference to crypto provider interface.
      * @return Error.
      */
     Error Init(const String& certType, const PKCS11ModuleConfig& config, pkcs11::PKCS11Manager& pkcs11,
-        crypto::x509::ProviderItf& x509Provider);
+        crypto::CryptoProviderItf& cryptoProvider);
 
     /**
      * Owns the module.
@@ -209,7 +209,7 @@ class PKCS11Module : public HSMItf {
     PKCS11ModuleConfig         mConfig {};
 
     SharedPtr<pkcs11::LibraryContext> mPKCS11;
-    crypto::x509::ProviderItf*        mX509Provider {};
+    crypto::CryptoProviderItf*        mCryptoProvider {};
 
     uint32_t                        mSlotID = 0;
     StaticString<pkcs11::cLabelLen> mTokenLabel;
diff --git a/include/aos/iam/permhandler.hpp b/include/aos/iam/permhandler.hpp
index 08bed2e81..24790b41f 100644
--- a/include/aos/iam/permhandler.hpp
+++ b/include/aos/iam/permhandler.hpp
@@ -94,6 +94,14 @@ class PermHandlerItf {
  */
 class PermHandler : public PermHandlerItf {
 public:
+    /**
+     * Initializes permission handler.
+     *
+     * @param uuidProvider UUID provider.
+     * @returns Error.
+     */
+    Error Init(crypto::UUIDItf& uuidProvider);
+
     /**
      * Adds new service instance and its permissions into cache.
      *
@@ -129,11 +137,12 @@ class PermHandler : public PermHandlerItf {
                                          const Array<FunctionServicePermissions>& instancePermissions);
     InstancePermissions*                   FindBySecret(const String& secret);
     InstancePermissions*                   FindByInstanceIdent(const InstanceIdent& instanceIdent);
-    StaticString<cSecretLen>               GenerateSecret();
+    RetWithError<StaticString<cSecretLen>> GenerateSecret();
     RetWithError<StaticString<cSecretLen>> GetSecretForInstance(const InstanceIdent& instanceIdent);
 
     Mutex                                              mMutex;
     StaticArray<InstancePermissions, cMaxNumInstances> mInstancesPerms;
+    crypto::UUIDItf*                                   mUUIDProvider = {};
 };
 
 /** @}*/
diff --git a/include/aos/sm/launcher.hpp b/include/aos/sm/launcher.hpp
index 5eb3f7342..cdfe9c476 100644
--- a/include/aos/sm/launcher.hpp
+++ b/include/aos/sm/launcher.hpp
@@ -260,6 +260,7 @@ class Launcher : public LauncherItf,
      * @param statusReceiver status receiver instance.
      * @param connectionPublisher connection publisher instance.
      * @param storage storage instance.
+     * @param uuidProvider UUID provider instance.
      * @return Error.
      */
     Error Init(const Config& config, iam::nodeinfoprovider::NodeInfoProviderItf& nodeInfoProvider,
@@ -267,7 +268,8 @@ class Launcher : public LauncherItf,
         resourcemanager::ResourceManagerItf& resourceManager, networkmanager::NetworkManagerItf& networkManager,
         iam::permhandler::PermHandlerItf& permHandler, runner::RunnerItf& runner, RuntimeItf& runtime,
         monitoring::ResourceMonitorItf& resourceMonitor, oci::OCISpecItf& ociManager,
-        InstanceStatusReceiverItf& statusReceiver, ConnectionPublisherItf& connectionPublisher, StorageItf& storage);
+        InstanceStatusReceiverItf& statusReceiver, ConnectionPublisherItf& connectionPublisher, StorageItf& storage,
+        crypto::UUIDItf& uuidProvider);
 
     /**
      * Starts launcher.
@@ -412,6 +414,7 @@ class Launcher : public LauncherItf,
     servicemanager::ServiceManagerItf*   mServiceManager {};
     StorageItf*                          mStorage {};
     RuntimeItf*                          mRuntime {};
+    crypto::UUIDItf*                     mUUIDProvider {};
 
     mutable StaticAllocator<cAllocatorSize> mAllocator;
 
diff --git a/include/aos/test/crypto/providers/cryptofactoryitf.hpp b/include/aos/test/crypto/providers/cryptofactoryitf.hpp
index c93eff15b..467470aa7 100644
--- a/include/aos/test/crypto/providers/cryptofactoryitf.hpp
+++ b/include/aos/test/crypto/providers/cryptofactoryitf.hpp
@@ -44,7 +44,7 @@ class CryptoFactoryItf {
      *
      * @return x509::ProviderItf&.
      */
-    virtual x509::ProviderItf& GetCryptoProvider() = 0;
+    virtual CryptoProviderItf& GetCryptoProvider() = 0;
 
     /**
      * Returns hash provider.
diff --git a/include/aos/test/crypto/providers/mbedtlsfactory.hpp b/include/aos/test/crypto/providers/mbedtlsfactory.hpp
index 1efea256c..59b61cd85 100644
--- a/include/aos/test/crypto/providers/mbedtlsfactory.hpp
+++ b/include/aos/test/crypto/providers/mbedtlsfactory.hpp
@@ -40,9 +40,9 @@ class MBedTLSCryptoFactory : public CryptoFactoryItf {
     /**
      * Returns crypto provider.
      *
-     * @return x509::ProviderItf&.
+     * @return CryptoProviderItf&.
      */
-    x509::ProviderItf& GetCryptoProvider() override;
+    CryptoProviderItf& GetCryptoProvider() override;
 
     /**
      * Returns hash provider.
diff --git a/include/aos/test/crypto/providers/opensslfactory.hpp b/include/aos/test/crypto/providers/opensslfactory.hpp
index 5a4f0f42f..8ecd0d623 100644
--- a/include/aos/test/crypto/providers/opensslfactory.hpp
+++ b/include/aos/test/crypto/providers/opensslfactory.hpp
@@ -40,9 +40,9 @@ class OpenSSLCryptoFactory : public CryptoFactoryItf {
     /**
      * Returns crypto provider.
      *
-     * @return x509::ProviderItf&.
+     * @return CryptoProviderItf&.
      */
-    x509::ProviderItf& GetCryptoProvider() override;
+    CryptoProviderItf& GetCryptoProvider() override;
 
     /**
      * Returns hash provider.
diff --git a/src/common/crypto/mbedtls/cryptoprovider.cpp b/src/common/crypto/mbedtls/cryptoprovider.cpp
index ed6662196..fc7e6fecc 100644
--- a/src/common/crypto/mbedtls/cryptoprovider.cpp
+++ b/src/common/crypto/mbedtls/cryptoprovider.cpp
@@ -572,36 +572,6 @@ Error MbedTLSCryptoProvider::ASN1DecodeOID(const Array<uint8_t>& inOID, Array<ui
     return crypto::ASN1RemoveTag(inOID, dst, MBEDTLS_ASN1_OID);
 }
 
-RetWithError<uuid::UUID> MbedTLSCryptoProvider::CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name)
-{
-    constexpr auto cUUIDVersion = 5;
-
-    StaticArray<uint8_t, cSHA1InputDataSize> buffer = space;
-
-    auto err = buffer.Insert(buffer.end(), name.begin(), name.end());
-    if (!err.IsNone()) {
-        return {{}, AOS_ERROR_WRAP(err)};
-    }
-
-    StaticArray<uint8_t, cSHA1DigestSize> sha1;
-
-    sha1.Resize(sha1.MaxSize());
-
-    int ret = mbedtls_sha1(buffer.Get(), buffer.Size(), sha1.Get());
-    if (ret != 0) {
-        return {{}, AOS_ERROR_WRAP(ret)};
-    }
-
-    // copy lowest 16 bytes
-    uuid::UUID result = Array<uint8_t>(sha1.Get(), uuid::cUUIDSize);
-
-    // The version of the UUID will be the lower 4 bits of cUUIDVersion
-    result[6] = (result[6] & 0x0f) | uint8_t((cUUIDVersion & 0xf) << 4);
-    result[8] = (result[8] & 0x3f) | 0x80; // RFC 4122 variant
-
-    return result;
-}
-
 RetWithError<UniquePtr<HashItf>> MbedTLSCryptoProvider::CreateHash(Hash algorithm)
 {
     psa_algorithm_t alg = PSA_ALG_SHA3_256;
@@ -675,6 +645,53 @@ Error MbedTLSCryptoProvider::RandBuffer(Array<uint8_t>& buffer, size_t size)
     return ErrorEnum::eNone;
 }
 
+RetWithError<uuid::UUID> MbedTLSCryptoProvider::CreateUUIDv4()
+{
+    constexpr auto cUUIDVersion = 4;
+
+    uuid::UUID uuid;
+
+    if (auto err = RandBuffer(uuid, uuid.MaxSize()); !err.IsNone()) {
+        return {{}, AOS_ERROR_WRAP(err)};
+    }
+
+    // The version of the UUID will be the lower 4 bits of cUUIDVersion
+    uuid[6] = (uuid[6] & 0x0f) | uint8_t((cUUIDVersion & 0xf) << 4);
+    uuid[8] = (uuid[8] & 0x3f) | 0x80; // RFC 4122 variant
+
+    return uuid;
+}
+
+RetWithError<uuid::UUID> MbedTLSCryptoProvider::CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name)
+{
+    constexpr auto cUUIDVersion = 5;
+
+    StaticArray<uint8_t, cSHA1InputDataSize> buffer = space;
+
+    auto err = buffer.Insert(buffer.end(), name.begin(), name.end());
+    if (!err.IsNone()) {
+        return {{}, AOS_ERROR_WRAP(err)};
+    }
+
+    StaticArray<uint8_t, cSHA1DigestSize> sha1;
+
+    sha1.Resize(sha1.MaxSize());
+
+    int ret = mbedtls_sha1(buffer.Get(), buffer.Size(), sha1.Get());
+    if (ret != 0) {
+        return {{}, AOS_ERROR_WRAP(ret)};
+    }
+
+    // copy lowest 16 bytes
+    uuid::UUID result = Array<uint8_t>(sha1.Get(), uuid::cUUIDSize);
+
+    // The version of the UUID will be the lower 4 bits of cUUIDVersion
+    result[6] = (result[6] & 0x0f) | uint8_t((cUUIDVersion & 0xf) << 4);
+    result[8] = (result[8] & 0x3f) | 0x80; // RFC 4122 variant
+
+    return result;
+}
+
 /***********************************************************************************************************************
  * Private
  **********************************************************************************************************************/
diff --git a/src/common/crypto/openssl/cryptoprovider.cpp b/src/common/crypto/openssl/cryptoprovider.cpp
index b861c2d4b..be46bfd72 100644
--- a/src/common/crypto/openssl/cryptoprovider.cpp
+++ b/src/common/crypto/openssl/cryptoprovider.cpp
@@ -1487,33 +1487,6 @@ Error OpenSSLCryptoProvider::ASN1DecodeOID(const Array<uint8_t>& inOID, Array<ui
     return ErrorEnum::eNone;
 }
 
-RetWithError<uuid::UUID> OpenSSLCryptoProvider::CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name)
-{
-    constexpr auto cUUIDVersion = 5;
-
-    StaticArray<uint8_t, cSHA1InputDataSize> buffer = space;
-
-    auto err = buffer.Insert(buffer.end(), name.begin(), name.end());
-    if (!err.IsNone()) {
-        return {{}, AOS_ERROR_WRAP(err)};
-    }
-
-    StaticArray<uint8_t, cSHA1DigestSize> sha1;
-
-    sha1.Resize(sha1.MaxSize());
-
-    SHA1(buffer.Get(), buffer.Size(), sha1.Get());
-
-    // copy lowest 16 bytes
-    uuid::UUID result = Array<uint8_t>(sha1.Get(), uuid::cUUIDSize);
-
-    // The version of the UUID will be the lower 4 bits of cUUIDVersion
-    result[6] = (result[6] & 0x0f) | uint8_t((cUUIDVersion & 0xf) << 4);
-    result[8] = (result[8] & 0x3f) | 0x80; // RFC 4122 variant
-
-    return result;
-}
-
 RetWithError<UniquePtr<HashItf>> OpenSSLCryptoProvider::CreateHash(Hash algorithm)
 {
     if (algorithm == HashEnum::eNone) {
@@ -1556,6 +1529,50 @@ Error OpenSSLCryptoProvider::RandBuffer(Array<uint8_t>& buffer, size_t size)
     return ErrorEnum::eNone;
 }
 
+RetWithError<uuid::UUID> OpenSSLCryptoProvider::CreateUUIDv4()
+{
+    constexpr auto cUUIDVersion = 4;
+
+    uuid::UUID uuid;
+
+    if (auto err = RandBuffer(uuid, uuid.MaxSize()); !err.IsNone()) {
+        return {{}, AOS_ERROR_WRAP(err)};
+    }
+
+    // The version of the UUID will be the lower 4 bits of cUUIDVersion
+    uuid[6] = (uuid[6] & 0x0f) | uint8_t((cUUIDVersion & 0xf) << 4);
+    uuid[8] = (uuid[8] & 0x3f) | 0x80; // RFC 4122 variant
+
+    return uuid;
+}
+
+RetWithError<uuid::UUID> OpenSSLCryptoProvider::CreateUUIDv5(const uuid::UUID& space, const Array<uint8_t>& name)
+{
+    constexpr auto cUUIDVersion = 5;
+
+    StaticArray<uint8_t, cSHA1InputDataSize> buffer = space;
+
+    auto err = buffer.Insert(buffer.end(), name.begin(), name.end());
+    if (!err.IsNone()) {
+        return {{}, AOS_ERROR_WRAP(err)};
+    }
+
+    StaticArray<uint8_t, cSHA1DigestSize> sha1;
+
+    sha1.Resize(sha1.MaxSize());
+
+    SHA1(buffer.Get(), buffer.Size(), sha1.Get());
+
+    // copy lowest 16 bytes
+    uuid::UUID result = Array<uint8_t>(sha1.Get(), uuid::cUUIDSize);
+
+    // The version of the UUID will be the lower 4 bits of cUUIDVersion
+    result[6] = (result[6] & 0x0f) | uint8_t((cUUIDVersion & 0xf) << 4);
+    result[8] = (result[8] & 0x3f) | 0x80; // RFC 4122 variant
+
+    return result;
+}
+
 /***********************************************************************************************************************
  * Private
  **********************************************************************************************************************/
diff --git a/src/common/tools/uuid.cpp b/src/common/tools/uuid.cpp
index d7b64df01..1613fca38 100644
--- a/src/common/tools/uuid.cpp
+++ b/src/common/tools/uuid.cpp
@@ -12,25 +12,13 @@
 
 namespace aos::uuid {
 
-// UUID template assumed to have even number of digits between separators.
-static const String cTemplate  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
-static const String cEmptyUUID = "00000000-0000-0000-0000-000000000000";
-
-UUID CreateUUID()
-{
-    UUID result;
-
-    while (result.Size() < result.MaxSize()) {
-        unsigned value = rand();
-        auto     chunk = Array<uint8_t>(reinterpret_cast<uint8_t*>(&value), sizeof(value));
+namespace {
 
-        auto chunkSize = Min(result.MaxSize() - result.Size(), chunk.Size());
-
-        result.Insert(result.end(), chunk.begin(), chunk.begin() + chunkSize);
-    }
+// UUID template assumed to have even number of digits between separators.
+const String cTemplate  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
+const String cEmptyUUID = "00000000-0000-0000-0000-000000000000";
 
-    return result;
-}
+} // namespace
 
 StaticString<cUUIDLen> UUIDToString(const UUID& src)
 {
diff --git a/src/iam/certmodules/pkcs11/pkcs11.cpp b/src/iam/certmodules/pkcs11/pkcs11.cpp
index 4a73f4d70..d51256509 100644
--- a/src/iam/certmodules/pkcs11/pkcs11.cpp
+++ b/src/iam/certmodules/pkcs11/pkcs11.cpp
@@ -21,11 +21,11 @@ namespace aos::iam::certhandler {
  **********************************************************************************************************************/
 
 Error PKCS11Module::Init(const String& certType, const PKCS11ModuleConfig& config, pkcs11::PKCS11Manager& pkcs11,
-    crypto::x509::ProviderItf& x509Provider)
+    crypto::CryptoProviderItf& cryptoProvider)
 {
-    mCertType     = certType;
-    mConfig       = config;
-    mX509Provider = &x509Provider;
+    mCertType       = certType;
+    mConfig         = config;
+    mCryptoProvider = &cryptoProvider;
 
     mPKCS11 = pkcs11.OpenLibrary(mConfig.mLibrary);
     if (!mPKCS11) {
@@ -198,7 +198,10 @@ RetWithError<SharedPtr<crypto::PrivateKeyItf>> PKCS11Module::CreateKey(const Str
     PKCS11Module::PendingKey pendingKey;
     Error                    err = ErrorEnum::eNone;
 
-    pendingKey.mUUID = uuid::CreateUUID();
+    Tie(pendingKey.mUUID, err) = mCryptoProvider->CreateUUIDv4();
+    if (!err.IsNone()) {
+        return {nullptr, AOS_ERROR_WRAP(err)};
+    }
 
     SharedPtr<pkcs11::SessionContext> session;
 
@@ -209,7 +212,7 @@ RetWithError<SharedPtr<crypto::PrivateKeyItf>> PKCS11Module::CreateKey(const Str
 
     switch (keyType.GetValue()) {
     case crypto::KeyTypeEnum::eRSA:
-        Tie(pendingKey.mKey, err) = pkcs11::Utils(session, *mX509Provider, mLocalCacheAllocator)
+        Tie(pendingKey.mKey, err) = pkcs11::Utils(session, *mCryptoProvider, mLocalCacheAllocator)
                                         .GenerateRSAKeyPairWithLabel(pendingKey.mUUID, mCertType, cRSAKeyLength);
         if (!err.IsNone()) {
             return {nullptr, AOS_ERROR_WRAP(err)};
@@ -217,7 +220,7 @@ RetWithError<SharedPtr<crypto::PrivateKeyItf>> PKCS11Module::CreateKey(const Str
         break;
 
     case crypto::KeyTypeEnum::eECDSA:
-        Tie(pendingKey.mKey, err) = pkcs11::Utils(session, *mX509Provider, mLocalCacheAllocator)
+        Tie(pendingKey.mKey, err) = pkcs11::Utils(session, *mCryptoProvider, mLocalCacheAllocator)
                                         .GenerateECDSAKeyPairWithLabel(pendingKey.mUUID, mCertType, cECSDACurveID);
         if (!err.IsNone()) {
             return {nullptr, AOS_ERROR_WRAP(err)};
@@ -232,7 +235,7 @@ RetWithError<SharedPtr<crypto::PrivateKeyItf>> PKCS11Module::CreateKey(const Str
 
     err = TokenMemInfo();
     if (!err.IsNone()) {
-        pkcs11::Utils(session, *mX509Provider, mLocalCacheAllocator).DeletePrivateKey(pendingKey.mKey);
+        pkcs11::Utils(session, *mCryptoProvider, mLocalCacheAllocator).DeletePrivateKey(pendingKey.mKey);
         return {nullptr, err};
     }
 
@@ -241,7 +244,7 @@ RetWithError<SharedPtr<crypto::PrivateKeyItf>> PKCS11Module::CreateKey(const Str
 
         auto oldKey = mPendingKeys.Front().mKey;
 
-        err = pkcs11::Utils(session, *mX509Provider, mLocalCacheAllocator).DeletePrivateKey(oldKey);
+        err = pkcs11::Utils(session, *mCryptoProvider, mLocalCacheAllocator).DeletePrivateKey(oldKey);
         if (!err.IsNone()) {
             LOG_ERR() << "Can't delete pending key: err=" << err;
         }
@@ -322,7 +325,7 @@ Error PKCS11Module::RemoveCert(const String& certURL, const String& password)
         return err;
     }
 
-    return pkcs11::Utils(session, *mX509Provider, mLocalCacheAllocator).DeleteCertificate(id, label);
+    return pkcs11::Utils(session, *mCryptoProvider, mLocalCacheAllocator).DeleteCertificate(id, label);
 }
 
 Error PKCS11Module::RemoveKey(const String& keyURL, const String& password)
@@ -345,12 +348,12 @@ Error PKCS11Module::RemoveKey(const String& keyURL, const String& password)
         return err;
     }
 
-    const auto privKey = pkcs11::Utils(session, *mX509Provider, mLocalCacheAllocator).FindPrivateKey(id, label);
+    const auto privKey = pkcs11::Utils(session, *mCryptoProvider, mLocalCacheAllocator).FindPrivateKey(id, label);
     if (!privKey.mError.IsNone()) {
         return AOS_ERROR_WRAP(privKey.mError);
     }
 
-    err = pkcs11::Utils(session, *mX509Provider, mLocalCacheAllocator).DeletePrivateKey(privKey.mValue);
+    err = pkcs11::Utils(session, *mCryptoProvider, mLocalCacheAllocator).DeletePrivateKey(privKey.mValue);
     if (!err.IsNone()) {
         return AOS_ERROR_WRAP(err);
     }
@@ -588,7 +591,7 @@ Error PKCS11Module::GenTeeUserPIN(const String& loginType, const String& idType,
         return AOS_ERROR_WRAP(err);
     }
 
-    Tie(userSHA1, err) = mX509Provider->CreateUUIDv5(teeSpace, userID.AsByteArray());
+    Tie(userSHA1, err) = mCryptoProvider->CreateUUIDv5(teeSpace, userID.AsByteArray());
     if (!err.IsNone()) {
         return AOS_ERROR_WRAP(err);
     }
@@ -767,7 +770,7 @@ bool PKCS11Module::CheckCertificate(const crypto::x509::Certificate& cert, const
 Error PKCS11Module::CreateCertificateChain(const SharedPtr<pkcs11::SessionContext>& session, const Array<uint8_t>& id,
     const String& label, const Array<crypto::x509::Certificate>& chain)
 {
-    auto utils = pkcs11::Utils(session, *mX509Provider, mLocalCacheAllocator);
+    auto utils = pkcs11::Utils(session, *mCryptoProvider, mLocalCacheAllocator);
 
     LOG_DBG() << "Import certificate with id: " << aos::uuid::UUIDToString(id);
     auto err = utils.ImportCertificate(id, label, chain[0]);
@@ -787,7 +790,12 @@ Error PKCS11Module::CreateCertificateChain(const SharedPtr<pkcs11::SessionContex
             continue;
         }
 
-        auto uuid = uuid::CreateUUID();
+        uuid::UUID uuid;
+
+        Tie(uuid, err) = mCryptoProvider->CreateUUIDv4();
+        if (!err.IsNone()) {
+            return AOS_ERROR_WRAP(err);
+        }
 
         LOG_DBG() << "Import root certificate with id: " << aos::uuid::UUIDToString(uuid);
 
@@ -942,7 +950,7 @@ Error PKCS11Module::GetX509Cert(
         return AOS_ERROR_WRAP(err);
     }
 
-    err = mX509Provider->DERToX509Cert(values[0], cert);
+    err = mCryptoProvider->DERToX509Cert(values[0], cert);
     if (!err.IsNone()) {
         return AOS_ERROR_WRAP(err);
     }
diff --git a/src/iam/permhandler/permhandler.cpp b/src/iam/permhandler/permhandler.cpp
index afa9d5118..989b0a59a 100644
--- a/src/iam/permhandler/permhandler.cpp
+++ b/src/iam/permhandler/permhandler.cpp
@@ -15,6 +15,15 @@ namespace aos::iam::permhandler {
  * Public
  **********************************************************************************************************************/
 
+Error PermHandler::Init(crypto::UUIDItf& uuidProvider)
+{
+    LOG_DBG() << "Init permission handler";
+
+    mUUIDProvider = &uuidProvider;
+
+    return ErrorEnum::eNone;
+}
+
 RetWithError<StaticString<cSecretLen>> PermHandler::RegisterInstance(
     const InstanceIdent& instanceIdent, const Array<FunctionServicePermissions>& instancePermissions)
 {
@@ -30,7 +39,10 @@ RetWithError<StaticString<cSecretLen>> PermHandler::RegisterInstance(
         return {secret};
     }
 
-    secret = GenerateSecret();
+    Tie(secret, err) = GenerateSecret();
+    if (!err.IsNone()) {
+        return {{}, AOS_ERROR_WRAP(err)};
+    }
 
     err = AddSecret(secret, instanceIdent, instancePermissions);
     if (!err.IsNone()) {
@@ -108,16 +120,23 @@ InstancePermissions* PermHandler::FindByInstanceIdent(const InstanceIdent& insta
     return mInstancesPerms.FindIf([&instanceIdent](const auto& elem) { return instanceIdent == elem.mInstanceIdent; });
 }
 
-StaticString<cSecretLen> PermHandler::GenerateSecret()
+RetWithError<StaticString<cSecretLen>> PermHandler::GenerateSecret()
 {
-    StaticString<cSecretLen> newSecret;
+    StaticString<cSecretLen> secret;
+    uuid::UUID               uuid;
+    Error                    err;
 
     do {
-        newSecret = uuid::UUIDToString(uuid::CreateUUID());
+        Tie(uuid, err) = mUUIDProvider->CreateUUIDv4();
+        if (!err.IsNone()) {
+            return {secret, err};
+        }
+
+        secret.Assign(uuid::UUIDToString(uuid));
 
-    } while (FindBySecret(newSecret) != mInstancesPerms.end());
+    } while (FindBySecret(secret) != mInstancesPerms.end());
 
-    return newSecret;
+    return {secret};
 }
 
 RetWithError<StaticString<cSecretLen>> PermHandler::GetSecretForInstance(const InstanceIdent& instanceIdent)
diff --git a/src/sm/launcher/launcher.cpp b/src/sm/launcher/launcher.cpp
index 0c69896f4..2ae4082b5 100644
--- a/src/sm/launcher/launcher.cpp
+++ b/src/sm/launcher/launcher.cpp
@@ -33,7 +33,8 @@ Error Launcher::Init(const Config& config, iam::nodeinfoprovider::NodeInfoProvid
     resourcemanager::ResourceManagerItf& resourceManager, networkmanager::NetworkManagerItf& networkManager,
     iam::permhandler::PermHandlerItf& permHandler, runner::RunnerItf& runner, RuntimeItf& runtime,
     monitoring::ResourceMonitorItf& resourceMonitor, oci::OCISpecItf& ociManager,
-    InstanceStatusReceiverItf& statusReceiver, ConnectionPublisherItf& connectionPublisher, StorageItf& storage)
+    InstanceStatusReceiverItf& statusReceiver, ConnectionPublisherItf& connectionPublisher, StorageItf& storage,
+    crypto::UUIDItf& uuidProvider)
 {
     LOG_DBG() << "Init launcher";
 
@@ -50,6 +51,7 @@ Error Launcher::Init(const Config& config, iam::nodeinfoprovider::NodeInfoProvid
     mServiceManager      = &serviceManager;
     mStatusReceiver      = &statusReceiver;
     mStorage             = &storage;
+    mUUIDProvider        = &uuidProvider;
 
     Error err;
 
@@ -590,14 +592,21 @@ Error Launcher::GetDesiredInstancesData(
             return instance.mInstanceInfo.mInstanceIdent == instanceInfo.mInstanceIdent;
         });
         if (currentInstance == currentInstances->end()) {
-            const auto instanceID = uuid::UUIDToString(uuid::CreateUUID());
+            auto [uuid, err] = mUUIDProvider->CreateUUIDv4();
+            if (!err.IsNone()) {
+                return AOS_ERROR_WRAP(err);
+            }
+
+            const auto instanceID = uuid::UUIDToString(uuid);
 
-            if (auto err = desiredInstancesData.EmplaceBack(instanceInfo, instanceID); !err.IsNone()) {
+            err = desiredInstancesData.EmplaceBack(instanceInfo, instanceID);
+            if (!err.IsNone()) {
                 return AOS_ERROR_WRAP(err);
             }
 
-            if (auto err = mStorage->AddInstance(desiredInstancesData.Back()); !err.IsNone()) {
-                LOG_ERR() << "Can't add instance: instanceID=" << instanceID << ", err=" << err;
+            err = mStorage->AddInstance(desiredInstancesData.Back());
+            if (!err.IsNone()) {
+                LOG_ERR() << "Can't add instance" << Log::Field("instanceID", instanceID) << Log::Field(err);
             }
 
             continue;
diff --git a/tests/common/src/crypto/cryptoprovider_test.cpp b/tests/common/src/crypto/cryptoprovider_test.cpp
index 32abf0d46..73cc10a8c 100644
--- a/tests/common/src/crypto/cryptoprovider_test.cpp
+++ b/tests/common/src/crypto/cryptoprovider_test.cpp
@@ -44,7 +44,7 @@ class CryptoProviderTest : public TestWithParam<std::shared_ptr<CryptoFactoryItf
 
 protected:
     std::shared_ptr<CryptoFactoryItf> mFactory;
-    x509::ProviderItf*                mCryptoProvider;
+    CryptoProviderItf*                mCryptoProvider;
     HasherItf*                        mHashProvider;
     RandomItf*                        mRandomProvider;
 };
diff --git a/tests/common/src/crypto/cryptoutils_test.cpp b/tests/common/src/crypto/cryptoutils_test.cpp
index 91e110e0d..3cf09b516 100644
--- a/tests/common/src/crypto/cryptoutils_test.cpp
+++ b/tests/common/src/crypto/cryptoutils_test.cpp
@@ -88,7 +88,7 @@ class CryptoutilsTest : public Test {
     static constexpr auto mPINSource = "pin.txt";
 
     DefaultCryptoFactory mCryptoFactory;
-    x509::ProviderItf*   mCryptoProvider = nullptr;
+    CryptoProviderItf*   mCryptoProvider = nullptr;
     test::SoftHSMEnv     mSoftHSMEnv;
 
     pkcs11::SlotID                    mSlotID = 0;
diff --git a/tests/common/src/pkcs11_test.cpp b/tests/common/src/pkcs11_test.cpp
index 63a5e6910..245fdc9d4 100644
--- a/tests/common/src/pkcs11_test.cpp
+++ b/tests/common/src/pkcs11_test.cpp
@@ -45,7 +45,7 @@ class PKCS11Test : public Test {
     static constexpr auto mPIN   = "admin";
 
     crypto::DefaultCryptoFactory mCryptoFactory;
-    crypto::x509::ProviderItf*   mCryptoProvider = nullptr;
+    crypto::CryptoProviderItf*   mCryptoProvider = nullptr;
     crypto::HasherItf*           mHashProvider   = nullptr;
     test::SoftHSMEnv             mSoftHSMEnv;
 
diff --git a/tests/common/src/tools/uuid_test.cpp b/tests/common/src/tools/uuid_test.cpp
index 87b6d5336..0f2bf5f33 100644
--- a/tests/common/src/tools/uuid_test.cpp
+++ b/tests/common/src/tools/uuid_test.cpp
@@ -14,23 +14,6 @@
 
 namespace aos::uuid {
 
-TEST(UUIDTest, CreateUUID)
-{
-    static constexpr auto cTestUUIDsCount = 1000;
-
-    std::vector<UUID> uuids;
-
-    for (int i = 0; i < cTestUUIDsCount; i++) {
-        auto tmp = CreateUUID();
-
-        ASSERT_EQ(tmp.Size(), tmp.MaxSize());
-
-        ASSERT_EQ(std::find(uuids.begin(), uuids.end(), tmp), uuids.end());
-
-        uuids.push_back(tmp);
-    }
-}
-
 TEST(UUIDTest, UUIDToString)
 {
     uint8_t uuidBlob[uuid::cUUIDSize]
diff --git a/tests/iam/iam_test.cpp b/tests/iam/iam_test.cpp
index e743ad90a..bf5537c19 100644
--- a/tests/iam/iam_test.cpp
+++ b/tests/iam/iam_test.cpp
@@ -90,7 +90,7 @@ class IAMTest : public Test {
 
     // Service providers
     crypto::DefaultCryptoFactory mCryptoFactory;
-    crypto::x509::ProviderItf*   mCryptoProvider = nullptr;
+    crypto::CryptoProviderItf*   mCryptoProvider = nullptr;
     test::SoftHSMEnv             mSOFTHSMEnv;
     StorageStub                  mStorage;
 
diff --git a/tests/iam/permhandler/permhandler_test.cpp b/tests/iam/permhandler/permhandler_test.cpp
index 4e1ea24fc..f8698ac66 100644
--- a/tests/iam/permhandler/permhandler_test.cpp
+++ b/tests/iam/permhandler/permhandler_test.cpp
@@ -9,24 +9,33 @@
 
 #include <gtest/gtest.h>
 
+#include "aos/common/crypto/cryptoprovider.hpp"
 #include "aos/common/tools/buffer.hpp"
 #include "aos/iam/permhandler.hpp"
 #include "aos/test/log.hpp"
+
 #include "mocks/identhandlermock.hpp"
 
-using namespace aos;
-using namespace aos::iam::permhandler;
 using namespace testing;
 
+namespace aos::iam::permhandler {
+
 /***********************************************************************************************************************
  * Suite
  **********************************************************************************************************************/
 
 class PermHandlerTest : public Test {
 protected:
-    void SetUp() override { test::InitLog(); }
+    void SetUp() override
+    {
+        test::InitLog();
 
-    PermHandler mPermHandler;
+        ASSERT_TRUE(mCryptoProvider.Init().IsNone()) << "Failed to initialize crypto provider";
+        ASSERT_TRUE(mPermHandler.Init(mCryptoProvider).IsNone()) << "Failed to initialize PermHandler";
+    }
+
+    crypto::DefaultCryptoProvider mCryptoProvider;
+    PermHandler                   mPermHandler;
 };
 
 /***********************************************************************************************************************
@@ -204,3 +213,5 @@ TEST_F(PermHandlerTest, TestInstancePermissions)
     err = mPermHandler.UnregisterInstance(instanceIdent1);
     ASSERT_TRUE(err.Is(ErrorEnum::eNotFound)) << err.Message();
 }
+
+} // namespace aos::iam::permhandler
diff --git a/tests/include/mocks/cryptomock.hpp b/tests/include/mocks/cryptomock.hpp
index 97ecb252b..d59491786 100644
--- a/tests/include/mocks/cryptomock.hpp
+++ b/tests/include/mocks/cryptomock.hpp
@@ -37,7 +37,6 @@ class ProviderMock : public ProviderItf {
     MOCK_METHOD(Error, ASN1EncodeDERSequence, (const Array<Array<uint8_t>>&, Array<uint8_t>&), (override));
     MOCK_METHOD(Error, ASN1DecodeOctetString, (const Array<uint8_t>&, Array<uint8_t>&), (override));
     MOCK_METHOD(Error, ASN1DecodeOID, (const Array<uint8_t>&, Array<uint8_t>&), (override));
-    MOCK_METHOD(RetWithError<uuid::UUID>, CreateUUIDv5, (const uuid::UUID&, const Array<uint8_t>&), (override));
 };
 
 } // namespace x509
diff --git a/tests/sm/launcher/launcher_test.cpp b/tests/sm/launcher/launcher_test.cpp
index d8dcdeb24..4919fd0a1 100644
--- a/tests/sm/launcher/launcher_test.cpp
+++ b/tests/sm/launcher/launcher_test.cpp
@@ -7,6 +7,7 @@
 
 #include <gtest/gtest.h>
 
+#include "aos/common/crypto/cryptoprovider.hpp"
 #include "aos/sm/launcher.hpp"
 
 #include "aos/test/log.hpp"
@@ -97,9 +98,12 @@ class LauncherTest : public Test {
         mOCIManager     = std::make_unique<OCISpecStub>();
         mStatusReceiver = std::make_unique<StatusReceiverStub>();
         mStorage        = std::make_unique<StorageStub>();
+        mCryptoProvider = std::make_unique<crypto::DefaultCryptoProvider>();
 
         mLauncher = std::make_unique<Launcher>();
 
+        ASSERT_TRUE(mCryptoProvider->Init().IsNone()) << "crypto provider initialization failed";
+
         EXPECT_CALL(mNetworkManager, GetNetnsPath).WillRepeatedly(Invoke([](const String& instanceID) {
             return RetWithError<StaticString<cFilePathLen>>(fs::JoinPath("/var/run/netns", instanceID));
         }));
@@ -110,7 +114,7 @@ class LauncherTest : public Test {
         ASSERT_TRUE(mLauncher
                         ->Init(Config {}, mNodeInfoProvider, *mServiceManager, *mLayerManager, mResourceManager,
                             mNetworkManager, mPermHandler, mRunner, mRuntime, mResourceMonitor, *mOCIManager,
-                            *mStatusReceiver, mConnectionPublisher, *mStorage)
+                            *mStatusReceiver, mConnectionPublisher, *mStorage, *mCryptoProvider)
                         .IsNone());
 
         ASSERT_TRUE(mLauncher->Start().IsNone());
@@ -155,20 +159,21 @@ class LauncherTest : public Test {
         return ErrorEnum::eNone;
     }
 
-    std::unique_ptr<Launcher>           mLauncher;
-    NiceMock<ConnectionPublisherMock>   mConnectionPublisher;
-    std::unique_ptr<LayerManagerStub>   mLayerManager;
-    NiceMock<NetworkManagerMock>        mNetworkManager;
-    NiceMock<NodeInfoProviderMock>      mNodeInfoProvider;
-    std::unique_ptr<OCISpecStub>        mOCIManager;
-    NiceMock<PermHandlerMock>           mPermHandler;
-    NiceMock<ResourceManagerMock>       mResourceManager;
-    NiceMock<ResourceMonitorMock>       mResourceMonitor;
-    NiceMock<RunnerMock>                mRunner;
-    NiceMock<RuntimeMock>               mRuntime;
-    std::unique_ptr<ServiceManagerStub> mServiceManager;
-    std::unique_ptr<StatusReceiverStub> mStatusReceiver;
-    std::unique_ptr<StorageStub>        mStorage;
+    std::unique_ptr<Launcher>                      mLauncher;
+    NiceMock<ConnectionPublisherMock>              mConnectionPublisher;
+    std::unique_ptr<LayerManagerStub>              mLayerManager;
+    NiceMock<NetworkManagerMock>                   mNetworkManager;
+    NiceMock<NodeInfoProviderMock>                 mNodeInfoProvider;
+    std::unique_ptr<OCISpecStub>                   mOCIManager;
+    NiceMock<PermHandlerMock>                      mPermHandler;
+    NiceMock<ResourceManagerMock>                  mResourceManager;
+    NiceMock<ResourceMonitorMock>                  mResourceMonitor;
+    NiceMock<RunnerMock>                           mRunner;
+    NiceMock<RuntimeMock>                          mRuntime;
+    std::unique_ptr<ServiceManagerStub>            mServiceManager;
+    std::unique_ptr<StatusReceiverStub>            mStatusReceiver;
+    std::unique_ptr<StorageStub>                   mStorage;
+    std::unique_ptr<crypto::DefaultCryptoProvider> mCryptoProvider;
 };
 
 } // namespace
diff --git a/tests/utils/src/crypto/providers/mbedtlsfactory.cpp b/tests/utils/src/crypto/providers/mbedtlsfactory.cpp
index 295c17ec5..f2445f60d 100644
--- a/tests/utils/src/crypto/providers/mbedtlsfactory.cpp
+++ b/tests/utils/src/crypto/providers/mbedtlsfactory.cpp
@@ -369,7 +369,7 @@ std::string MBedTLSCryptoFactory::GetName()
     return "MBedTLS";
 }
 
-x509::ProviderItf& MBedTLSCryptoFactory::GetCryptoProvider()
+CryptoProviderItf& MBedTLSCryptoFactory::GetCryptoProvider()
 {
     return mProvider;
 }
diff --git a/tests/utils/src/crypto/providers/opensslfactory.cpp b/tests/utils/src/crypto/providers/opensslfactory.cpp
index a880fb0e3..d4e7b548d 100644
--- a/tests/utils/src/crypto/providers/opensslfactory.cpp
+++ b/tests/utils/src/crypto/providers/opensslfactory.cpp
@@ -405,7 +405,7 @@ std::string OpenSSLCryptoFactory::GetName()
     return "OpenSSL";
 }
 
-x509::ProviderItf& OpenSSLCryptoFactory::GetCryptoProvider()
+CryptoProviderItf& OpenSSLCryptoFactory::GetCryptoProvider()
 {
     return mProvider;
 }