diff --git a/docker/crd-installer.Dockerfile b/docker/crd-installer.Dockerfile
index ecd69b78d..8485663e3 100644
--- a/docker/crd-installer.Dockerfile
+++ b/docker/crd-installer.Dockerfile
@@ -14,11 +14,12 @@ COPY cmd/crdinstaller/ cmd/crdinstaller/
 
 ARG TARGETARCH
 
-# Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -o crdinstaller cmd/crdinstaller/main.go
+# Build with CGO enabled and GOEXPERIMENT=systemcrypto for internal usage
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=${TARGETARCH} GOEXPERIMENT=systemcrypto GO111MODULE=on go build -o crdinstaller cmd/crdinstaller/main.go
 
-# Use distroless as minimal base image to package the crdinstaller binary
-FROM gcr.io/distroless/static:nonroot
+# Use Azure Linux distroless base image to package the crdinstaller binary
+# Refer to https://mcr.microsoft.com/en-us/artifact/mar/azurelinux/distroless/base/about for more details
+FROM mcr.microsoft.com/azurelinux/distroless/base:3.0
 WORKDIR /
 COPY --from=builder /workspace/crdinstaller .
 COPY config/crd/bases/ /workspace/config/crd/bases/
diff --git a/docker/hub-agent.Dockerfile b/docker/hub-agent.Dockerfile
index d674ce51f..48eb7b3e4 100644
--- a/docker/hub-agent.Dockerfile
+++ b/docker/hub-agent.Dockerfile
@@ -16,12 +16,12 @@ COPY pkg/ pkg/
 
 ARG TARGETARCH
 
-# Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -o hubagent  cmd/hubagent/main.go
+# Build with CGO enabled and GOEXPERIMENT=systemcrypto for internal usage
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=${TARGETARCH} GOEXPERIMENT=systemcrypto GO111MODULE=on go build -o hubagent  cmd/hubagent/main.go
 
-# Use distroless as minimal base image to package the hubagent binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+# Use Azure Linux distroless base image to package the hubagent binary
+# Refer to https://mcr.microsoft.com/en-us/artifact/mar/azurelinux/distroless/base/about for more details
+FROM mcr.microsoft.com/azurelinux/distroless/base:3.0
 WORKDIR /
 COPY --from=builder /workspace/hubagent .
 USER 65532:65532
diff --git a/docker/member-agent.Dockerfile b/docker/member-agent.Dockerfile
index 2b35ad2a8..4761ac3af 100644
--- a/docker/member-agent.Dockerfile
+++ b/docker/member-agent.Dockerfile
@@ -16,12 +16,12 @@ COPY pkg/ pkg/
 
 ARG TARGETARCH
 
-# Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -o memberagent main.go
+# Build with CGO enabled and GOEXPERIMENT=systemcrypto for internal usage
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=${TARGETARCH} GOEXPERIMENT=systemcrypto GO111MODULE=on go build -o memberagent main.go
 
-# Use distroless as minimal base image to package the memberagent binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+# Use Azure Linux distroless base image to package the memberagent binary
+# Refer to https://mcr.microsoft.com/en-us/artifact/mar/azurelinux/distroless/base/about for more details
+FROM mcr.microsoft.com/azurelinux/distroless/base:3.0
 WORKDIR /
 COPY --from=builder /workspace/memberagent .
 USER 65532:65532
diff --git a/docker/refresh-token.Dockerfile b/docker/refresh-token.Dockerfile
index 2f7e764c8..1b59d1ca8 100644
--- a/docker/refresh-token.Dockerfile
+++ b/docker/refresh-token.Dockerfile
@@ -1,4 +1,4 @@
-# Build the hubagent binary
+# Build the refreshtoken binary
 FROM mcr.microsoft.com/oss/go/microsoft/golang:1.24.4 AS builder
 
 WORKDIR /workspace
@@ -15,12 +15,12 @@ COPY pkg/authtoken pkg/authtoken
 
 ARG TARGETARCH
 
-# Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -o refreshtoken main.go
+# Build with CGO enabled and GOEXPERIMENT=systemcrypto for internal usage
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=${TARGETARCH} GOEXPERIMENT=systemcrypto GO111MODULE=on go build -o refreshtoken main.go
 
-# Use distroless as minimal base image to package the refreshtoken binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+# Use Azure Linux distroless base image to package the refreshtoken binary
+# Refer to https://mcr.microsoft.com/en-us/artifact/mar/azurelinux/distroless/base/about for more details
+FROM mcr.microsoft.com/azurelinux/distroless/base:3.0
 WORKDIR /
 COPY --from=builder /workspace/refreshtoken .
 USER 65532:65532