diff --git a/infrastructure_files/getting-started.sh b/infrastructure_files/getting-started.sh
index 770cecc4435..8606e5acd95 100755
--- a/infrastructure_files/getting-started.sh
+++ b/infrastructure_files/getting-started.sh
@@ -345,11 +345,34 @@ initialize_default_values() {
   NETBIRD_PORT=80
   NETBIRD_HTTP_PROTOCOL="http"
   NETBIRD_RELAY_PROTO="rel"
-  NETBIRD_RELAY_AUTH_SECRET=$(openssl rand -base64 32 | sed "$SED_STRIP_PADDING")
-  # Note: DataStoreEncryptionKey must keep base64 padding (=) for Go's base64.StdEncoding
-  DATASTORE_ENCRYPTION_KEY=$(openssl rand -base64 32)
   NETBIRD_STUN_PORT=3478
+  NETBIRD_RELAY_AUTH_SECRET=""
+  DATASTORE_ENCRYPTION_KEY=""
 
+  if command -v openssl &> /dev/null
+  then
+    NETBIRD_RELAY_AUTH_SECRET=$(openssl rand -base64 32 | sed "$SED_STRIP_PADDING")
+    # Note: DataStoreEncryptionKey must keep base64 padding (=) for Go's base64.StdEncoding
+    DATASTORE_ENCRYPTION_KEY=$(openssl rand -base64 32)
+  else
+    SHOULD_CLEAN_OPENSSL_IMAGE=true
+    OPENSSL_IMAGE=$(docker images --filter=reference="alpine/openssl:*" --format "{{.Repository}}:{{.Tag}}" | head -n 1)
+    
+    if [[ -z "$OPENSSL_IMAGE" ]]; then
+      OPENSSL_IMAGE="alpine/openssl"
+    else
+      SHOULD_CLEAN_OPENSSL_IMAGE=false
+    fi
+    
+    NETBIRD_RELAY_AUTH_SECRET=$(docker run --rm "$OPENSSL_IMAGE" rand -base64 32 | sed "$SED_STRIP_PADDING")
+    # Note: DataStoreEncryptionKey must keep base64 padding (=) for Go's base64.StdEncoding
+    DATASTORE_ENCRYPTION_KEY=$(docker run --rm "$OPENSSL_IMAGE" rand -base64 32)
+  
+    if $SHOULD_CLEAN_OPENSSL_IMAGE; then
+      docker rmi "$OPENSSL_IMAGE"
+    fi
+  fi
+  
   # Docker images
   DASHBOARD_IMAGE=${DASHBOARD_IMAGE:-"netbirdio/dashboard:latest"}
   # Combined server replaces separate signal, relay, and management containers