Wartz · March 6, 2020 14:17 · Mar 6, 2020
diff --git a/encrypt text with openssl.md b/encrypt text with openssl.md
@@ -0,0 +1,45 @@
+# Encrypt text or files with OpenSSL
+This has been very useful for Jamf policy / script parameters that contain passwords. It's not perfect because the passphrase and salt must be transferred as well, but at least it's not in cleartext...
+
+
+## Salt and passphrase
+
+You can use OpenSSL to generate psuedo-random text which is more than enough for this tbh considering all the other problems this solution has.
+I believe the salt cant be more than 8 characters long cuz it's a hexidecimal value. Or it could be that both the salt and the passphrase need to be a valid hex string which means they could be longer just have to be a specific length. (Idk I could be entirely wrong on this).
+
+Just do 8 and 12, I know that works.
+
+`man openssl`
+> -S salt
+> 
+> The actual salt to use: this must be represented as a string comprised only of hex digits.
+
+### Generate the salt / passcode strings
+
+`openssl rand -hex 8` - salt
+
+`openssl rand -hex 12` - passphase
+
+## Encrypt your password text
+This will generate your encrypted text. If you want to-say-change a user account password, you could use the same salt and passphrase for both the old and new passwords.
+
+```
+echo "<your password>" | openssl enc -aes256 -a -A -S <salt hex string> -k <passphrase hex string>
+```
+
+
+## Pass the encrypted text to a Jamf script
+
+```
+#!/bin/sh
+
+salt=<your salt string>
+passphrase=<your passphrase string>
+
+old_adminpass="$(echo "${4}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$salt" -k "$passphrase")"
+new_adminpass="$(echo "${5}" | /usr/bin/openssl enc -aes256 -d -a -A -S "$salt" -k "$passphrase")"
+
+# Reset a local account password
+
+/usr/local/bin/jamf changePassword -username localadmin -password "$new_adminpass" -oldPassword "$old_adminpass"
+```