diff --git a/ci-operator/step-registry/ipi/conf/aws/kms-key/ipi-conf-aws-kms-key-commands.sh b/ci-operator/step-registry/ipi/conf/aws/kms-key/ipi-conf-aws-kms-key-commands.sh
index 9d667bfd976c7..9b20bd02fe4ff 100755
--- a/ci-operator/step-registry/ipi/conf/aws/kms-key/ipi-conf-aws-kms-key-commands.sh
+++ b/ci-operator/step-registry/ipi/conf/aws/kms-key/ipi-conf-aws-kms-key-commands.sh
@@ -8,6 +8,27 @@ export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
 CONFIG="${SHARED_DIR}/install-config.yaml"
 
 
+if [[ "${AWS_KMS_KEY_ENABLE_DEFAULT_MACHINE}" == "yes" ]]; then
+  key_arn_default_machine=${AWS_KMS_KEY_ARN_DEFAULT_MACHINE}
+  if [[ "${key_arn_default_machine}" == "" ]]; then
+    # pre-creaetd
+    key_arn_default_machine=$(head -n 1 ${SHARED_DIR}/aws_kms_key_arn)
+  fi
+
+  KMS_PATCH_DEFAULT_MACHINE="${ARTIFACT_DIR}/install-config-kms-default-machine.yaml.patch"
+  cat > "${KMS_PATCH_DEFAULT_MACHINE}" << EOF
+platform:
+  aws:
+    defaultMachinePlatform:
+      rootVolume:
+        kmsKeyARN: ${key_arn_default_machine}
+EOF
+  echo "KMS_PATCH_DEFAULT_MACHINE: ${KMS_PATCH_DEFAULT_MACHINE}"
+  cat $KMS_PATCH_DEFAULT_MACHINE
+  yq-go m -x -i "${CONFIG}" "${KMS_PATCH_DEFAULT_MACHINE}"
+fi
+
+
 if [[ "${AWS_KMS_KEY_ENABLE_CONTROL_PLANE}" == "yes" ]]; then
   key_arn_control_plane=${AWS_KMS_KEY_ARN_CONTROL_PLANE}
   if [[ "${key_arn_control_plane}" == "" ]]; then
@@ -49,6 +70,8 @@ EOF
   yq-go m -x -i "${CONFIG}" "${KMS_PATCH_COMPUTE}"
 fi
 
+echo "defaultMachinePlatform key:"
+yq-go r $CONFIG 'platform.aws.defaultMachinePlatform.rootVolume.kmsKeyARN'
 echo "controlPlane key:"
 yq-go r $CONFIG 'controlPlane.platform.aws.rootVolume.kmsKeyARN'
 echo "compute key:"
diff --git a/ci-operator/step-registry/ipi/conf/aws/kms-key/ipi-conf-aws-kms-key-ref.yaml b/ci-operator/step-registry/ipi/conf/aws/kms-key/ipi-conf-aws-kms-key-ref.yaml
index f8a9885b6eb6f..9245aef686f5c 100644
--- a/ci-operator/step-registry/ipi/conf/aws/kms-key/ipi-conf-aws-kms-key-ref.yaml
+++ b/ci-operator/step-registry/ipi/conf/aws/kms-key/ipi-conf-aws-kms-key-ref.yaml
@@ -10,6 +10,10 @@ ref:
       cpu: 10m
       memory: 100Mi
   env:
+  - name: AWS_KMS_KEY_ARN_DEFAULT_MACHINE
+    default: ""
+    documentation: |-
+      KMS Key for defaultMachine, if empty (""), read key id from "${SHARED_DIR}/aws_kms_key_arn" created by step aws-provision-kms-key
   - name: AWS_KMS_KEY_ARN_CONTROL_PLANE
     default: ""
     documentation: |-
@@ -18,12 +22,16 @@ ref:
     default: ""
     documentation: |-
       KMS Key for control plane nodes, if empty (""), read key id from "${SHARED_DIR}/aws_kms_key_arn" created by step aws-provision-kms-key
-  - name: AWS_KMS_KEY_ENABLE_COMPUTE
+  - name: AWS_KMS_KEY_ENABLE_DEFAULT_MACHINE
     default: "yes"
+    documentation: |-
+      Flag that indicate if provide KMS key in install-config.yaml for default machine nodes (platform.aws.defaultMachinePlatform.rootVolume.kmsKeyARN)
+  - name: AWS_KMS_KEY_ENABLE_COMPUTE
+    default: "no"
     documentation: |-
       Flag that indicate if provide KMS key in install-config.yaml for control plane nodes (controlPlane.platform.aws.rootVolume.kmsKeyARN)
   - name: AWS_KMS_KEY_ENABLE_CONTROL_PLANE
-    default: "yes"
+    default: "no"
     documentation: |-
       Flag that indicate if provide KMS key in install-config.yaml for compute nodes (compute.platform.aws.rootVolume.kmsKeyARN)
   documentation: |-