diff --git a/confluent_osdeploy/utils/gopasshmac/go.mod b/confluent_osdeploy/utils/gopasshmac/go.mod
new file mode 100644
index 00000000..83303fa8
--- /dev/null
+++ b/confluent_osdeploy/utils/gopasshmac/go.mod
@@ -0,0 +1,10 @@
+module genpasshmac
+
+go 1.22
+
+toolchain go1.23.6
+
+require (
+	github.com/go-crypt/crypt v0.3.2 // indirect
+	github.com/go-crypt/x v0.3.2 // indirect
+)
diff --git a/confluent_osdeploy/utils/gopasshmac/go.sum b/confluent_osdeploy/utils/gopasshmac/go.sum
new file mode 100644
index 00000000..91d036f4
--- /dev/null
+++ b/confluent_osdeploy/utils/gopasshmac/go.sum
@@ -0,0 +1,4 @@
+github.com/go-crypt/crypt v0.3.2 h1:I4i0u2g8X9bxCXIjvv19BDVXqQbddDQrURCJrOyyJos=
+github.com/go-crypt/crypt v0.3.2/go.mod h1:U0YhpCizEtaVC4gVfUUN0qGn1Z6+e3at+B5uLYx/sV0=
+github.com/go-crypt/x v0.3.2 h1:m2wn2+8tp28V4yDiW5NSTiyNSXnCoTs1R1+H+cAJA3M=
+github.com/go-crypt/x v0.3.2/go.mod h1:uelN9rbD2e2eqE8KA26B9R6OQ0TdM6msWdPsoMM1ZFk=
diff --git a/confluent_osdeploy/utils/gopasshmac/main.go b/confluent_osdeploy/utils/gopasshmac/main.go
new file mode 100644
index 00000000..788b2d6c
--- /dev/null
+++ b/confluent_osdeploy/utils/gopasshmac/main.go
@@ -0,0 +1,49 @@
+package main
+
+import (
+	"flag"
+	//"fmt"
+	"github.com/go-crypt/crypt/algorithm/shacrypt"
+	"os"
+	"crypto/rand"
+	"encoding/base64"
+	"crypto/hmac"
+	"crypto/sha256"
+)
+
+func main() {
+	hmackeyfile := flag.String("k", "", "Key file for HMAC calculation")
+	passfile := flag.String("p", "", "File to write generated password to")
+	cryptfile := flag.String("c", "", "File to write crypted form of key to")
+	hmacfile := flag.String("m", "", "File to write HMAC value to")
+	flag.Parse()
+	randbytes := make([]byte, 36)
+	_, err := rand.Read(randbytes)
+	if err != nil {
+		panic(err)
+	}
+	newpasswd := base64.StdEncoding.EncodeToString(randbytes)
+	hasher, err := shacrypt.New(shacrypt.WithVariant(shacrypt.VariantSHA256), shacrypt.WithIterations(5000))
+	if err != nil {
+		panic(err)
+	}
+
+	digest, err := hasher.Hash(newpasswd)
+	if err != nil {
+		panic(err)
+	}
+	cryptdata := []byte(digest.Encode())
+	err = os.WriteFile(*passfile, []byte(newpasswd), 0600)
+	if err != nil { panic(err )}
+	err = os.WriteFile(*cryptfile, cryptdata, 0600)
+	if err != nil { panic(err )}
+	keydata, err := os.ReadFile(*hmackeyfile)
+	if err != nil { panic(err )}
+	hmacer := hmac.New(sha256.New, keydata)
+	hmacer.Write(cryptdata)
+	hmacresult := hmacer.Sum(nil)
+	hmacout := []byte(base64.StdEncoding.EncodeToString(hmacresult))
+	err = os.WriteFile(*hmacfile, hmacout, 0600)
+	if err != nil { panic(err )}
+}
+