@mbartosh, here is an overview of the process flow.
Start with a current set of OpenSSL binaries for whichever OS(es) you plan to target. Create a task or add these to your image. Then set permissions to deny all but system for this location.
Create at least one key pair using OpenSSL adapting the parameters to your situation. For example, a 4096-bit RSA key pair can be created:
openssl.exe genrsa -out private.pem 4096
openssl.exe rsa -in private.pem -out public.pem -outform PEM -pubout
Then insert half of your key pair in a location on your clients. Obscure the location and restrict permissions to all but system.
Secure and protect the other half as your organization requires.
OpenSSL can then be used to encrypt passwords, files, or whatever you want. Some sample generic syntax:
openssl pkeyutl -encrypt -pubin -inkey public.pem -in clear_text_data_to_encrypt.txt -out binary_encrypted_data.ssl
openssl base64 -e -in binary_encrypted_data.ssl -out Base64_encoded_encrypted_data_for_transport.ssl
The encoded encrypted files can be deployed via Bigfix or inserted into an image. (I recommend a naming convention for these files.) This is essentially what early versions of Local User Management were doing under the covers. Today they embed OpenSSL libraries with the installs so it is more integrated into the product versus a bolt-on.
At runtime, reverse the order of the OpenSSL commands to decode the base64 to binary, then decrypt to a temporary location with only system access, pipe the decrypted information into whatever you need (app, config file, powershell, batch, etc). At the end of the job, it is a good practice to clean up by secure delete (Sysinternals Sdelete for Windows).
This process isn’t perfect, but it does work. It offers some advantages over the inherent LUM. 1) Encrypt once to thousands of machines versus needing to spend root server cycles encrypting the same thing 1000s of times over uniquely for each client. 2) Anything supported by OpenSSL encryption is fair game, not just limited to passwords. 3) Target groups, not limited to specific individual machines. 4) Target machines that are not yet created via dynamic groups and policy actions (very helpful in automated build scenarios).
Common mistakes are not adequately securing the OpenSSL working folder on the client or not immediately secure wiping the decrypted data after use.
Hope this helps.