@haraldk, the basic idea is to distribute the OpenSSL binaries in a consistent location across your clients. Create an OpenSSL key pair, securing half the pair, while distributing the other half to all your clients. Then when you encrypt a bit of data, say a password, with the secured half of the key pair, then your clients will be able to decrypt the secure value. Here is an excerpt of a prior thread that has some basics. Try it out and post if you get stuck.
Start with a current set of OpenSSL binaries for whichever OS(es) you plan to target. Create a task or add these to your image. Then set permissions to deny all but system for this location. (I like to use \OpenSSL under the client install folder.)
Create at least one key pair using OpenSSL adapting the parameters to your situation. For example, a 4096-bit RSA key pair can be created:
openssl.exe genrsa -out private.pem 4096
openssl.exe rsa -in private.pem -out public.pem -outform PEM -pubout
Then insert half of your key pair in a location on your clients. Obscure the location and restrict permissions to all but system.
Secure and protect the other half as your organization requires.
OpenSSL can then be used to encrypt passwords, files, or whatever you want. Some sample generic syntax:
openssl pkeyutl -encrypt -pubin -inkey public.pem -in clear_text_data_to_encrypt.txt -out binary_encrypted_data.ssl
openssl base64 -e -in binary_encrypted_data.ssl -out Base64_encoded_encrypted_data_for_transport.ssl
The encoded encrypted files can be deployed via Bigfix or inserted into an image. (I recommend a naming convention for these files.) This is essentially what early versions of Local User Management were doing under the covers. Today they embed OpenSSL libraries with the installs so it is more integrated into the product versus a bolt-on.