Answering my own question. The script below explains it.

https://gist.github.com/vishvananda/4008762 (https://gist.github.com/vishvananda/4...)

#!/usr/bin/env bash
SSH_KEYFILE=`tempfile`
SSL_KEYFILE=`tempfile`
if ! curl -s -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > $SSH_KEYFILE; then
  echo  "Failed to get key"
fi
cat $SSH_KEYFILE
PASSWORD=`openssl rand -base64 48 | tr -d '/+' | cut -c1-16`
sudo usermod ubuntu -p `openssl passwd -1 $PASSWORD`

ssh-keygen -e -f $SSH_KEYFILE -m PKCS8 > $SSL_KEYFILE
ENCRYPTED=`echo "$PASSWORD" | openssl rsautl -encrypt -pubin -inkey $SSL_KEYFILE -keyform PEM | openssl base64 -e -A`
echo $'\n'"ENCRYPTED_PASSWORD:$ENCRYPTED" | sudo tee /dev/console
curl -X POST http://169.254.169.254/openstack/2013-04-04/password -d $ENCRYPTED || true
rm $SSH_KEYFILE $SSL_KEYFILE
# get the script
# curl -sOL https://raw.github.com/gist/4008762/getpass.sh
# add keypair
# nova add-key --pub-key .ssh/id_rsa.pub mykey
# boot instance
# nova boot --flavor <flavor-id> --image <image-uuid> --key-name mykey --user-data getpass.sh test
# Get the password on the client side:
# nova get-password test .ssh/id_rsa
# Or with an older nova install:
# nova console-log test | grep 'ENCRYPTED_PASSWORD' | cut -d':' -f2 | tail -n 1 | openssl base64 -d -A | openssl rsautl -decrypt -inkey .ssh/id_rsa