How to use passwords in RPA flows from Zoho Vault | Zoho RPA help

How to use passwords from Zoho Vault in RPA flows

This tutorial outlines the steps to securely retrieve and use encrypted passwords from Zoho vault within your RPA flows. 
We will cover this in two sections: 
Initial setup and master key generation: Initial steps required in Zoho Vault to generate the necessary master key for secure API access.
RPA flow setup:  Steps on how to use the user name and password within your RPA flows.
Prerequisites
Supported RPA agent platforms : Windows 
Required Zoho accounts : Zoho Flow, Zoho Vault
Software Installed : Windows PowerShell 

Initial Setup and Master key generation

This is a required, one-time configuration process. The primary goal here is to generate the master key, which is essential for securely decrypting the credentials and using it in your RPA flow. 

Register the API client

To generate the master key, we must first make an authorized API request to Zoho Vault. While this request could be made from any service (like Postman), we will use the custom function feature within Zoho RPA to achieve this. 
This requires setting up an API Client in the Zoho developer console. An API Client is a set of credentials (Client ID and Secret) that securely authorizes your API request, ensuring it has required access needed to communicate with Zoho Vault. 

Follow these steps to create and register the API client:
  1. Navigate to the developer console using the URL that corresponds to the location of your data center. 
    https://api-console.zoho.<replace_data_center>/
    Data Center: Use .com for US, .in for India, or .eu for Europe.
  2. If this is your first time accessing the console, click Get Started. Otherwise, click Add Client.
  3. Choose Self Client as the client type. (Note: If you already have a configured Self Client, you may use that one.)
  4. Define the necessary scopes. Scopes specify the exact permissions for this client. Use the following scopes: ZohoVault.secrets.READ, ZohoVault.user.READ
  5. Set the code expiration duration for the client (e.g., 10 minutes) and click Generate.
  6. Download the generated codes.

Generate SALT, Sharing Key (K) and Private Key (P)

The next step is to generate the SALT, sharing key and private key that is required to derive the master key.
1. Create a custom function in your RPA account and paste the following code. Learn to create custom functions
  1. void fetchOnetimeVaultKeys(string code, string client_id, string client_secret, string dc)
  2.    {
  3.    refreshTokenResponse = invokeurl
  4.    [
  5.        url :"https://accounts.zoho." + dc + "/oauth/v2/token?code=" + code + "&client_id=" + client_id + "&client_secret=" + client_secret + "&grant_type=authorization_code"
  6.        type :POST
  7.    ];
  8.    token = refreshTokenResponse.get("access_token");
  9.    headers = Map();
  10.    headers.put("Authorization","Zoho-oauthtoken " + token);
  11.    getLoginResponse = invokeurl
  12.    [
  13.        url :"https://vault.zoho." + dc + "/api/json/login?OPERATION_NAME=GET_LOGIN"
  14.        type :GET
  15.        headers:headers
  16.    ];
  17.    info "SALT : " + getLoginResponse.get("operation").get("details").get("SALT");
  18.    openVaultResponse = invokeurl
  19.    [
  20.        url :"https://vault.zoho." + dc + "/api/json/login?OPERATION_NAME=OPEN_VAULT"
  21.        type :GET
  22.        headers:headers
  23.    ];
  24.    info "PRIVATE KEY : " + openVaultResponse.get("operation").get("details").get("PRIVATEKEY");
  25.    info "SHARING KEY : " + openVaultResponse.get("operation").get("details").get("SHARINGKEY");
  26.    }
2. Execute the function using the keys (Client ID, Secret, and Code) obtained from the previous step. Ensure the Data Center (DC) value input given to your function is correct (e.g., .com, .in, or .eu).
Notes
Note: If you receive an error, your authorization code may have expired. Regenerate the code in the Developer console and execute the function again.
3. Once the function executes successfully, three important keys will be generated. Click the Info tab. Copy and save the keys (SALT, Private key, Sharing key) temporarily. 


Derive Master and ORG keys

We will use the keys generated in the previous step (SALT, Private key, Sharing key) to derive the Master key. 
  1. Download the Zoho Vault key derivation HTML file and open it using a web browser of your choice (e.g., Ulaa, Chrome, or Firefox).
  2. Fill in the form inputs. Enter your master key password and also fill in the keys generated from our previous step.(SALT, Private key, sharing key)
  3. After filling in the inputs, the master key and org key will be generated. Copy the generated keys from the Decryption section. If the org key is not generated, only the master key is needed. These keys will be required in the next step.

Create PowerShell decryption script

The final step of this setup is to create the decryption script using the keys you just generated.
1. On the desktop machine where your RPA workflow will run, download this PowerShell script file. Rename this file to DecryptVault.ps1
Make sure you fill in your ORG Key and Master Key in the code.
  1.  /*Reference of the code where you need to change the ORG/Master key*/
  2.    $masterKey = "<replace_here>"
  3.    $orgKey = "<replace_here>"
Notes
Note: If your ORG Key contains a double quote ("), make sure you use a backtick (`) before double quote (") to escape the character in your PowerShell script.
2. Save the file. Rename it to (e.g.g DecryptVault.ps1) and place it in the location where you need it. 

RPA flow setup

This section details how to set up your Zoho RPA flow to securely fetch passwords from Zoho Vault, decrypt them using the PowerShell script (DecryptVault.ps1), and securely input them into a web portal or desktop application.

Setting up this flow is a multi-step process designed to maintain security by keeping the credentials encrypted until the moment we actually use them in the workflow execution. The process involves fetching the encrypted password from Zoho Vault, decrypting it using a local powershell script and using the system clipboard for a temporary and secure input. 

The flow first uses the fetch password action to retrieve the encrypted credentials. A custom function is then used to parse and separate the encrypted username and password. For each  output (i.e., username and password),  the flow executes the powerShell script via the Open Application action, passing the encrypted data string for decryption. The script places the decrypted data directly on the clipboard. The credential is then pasted into the application using the Send hotkeys action. After these steps are repeated for both the username and password  a final PowerShell command is run to immediately clear the clipboard to ensure no sensitive data remains exposed.
Let's look at how to implement this process in detail.

Create RPA flow 

  1. Create the required RPA flow, or navigate to the flow where you want to retrieve passwords from Zoho Vault. Ensure the Agent machine that will execute this flow has the PowerShell decryption file (DecryptVault.ps1) ready and accessible.
  2. Use a Web or Windows actions (like Open Application for invoicegenerator.exe or Open URL for myportal.com) to get to the required login screen.
  3. Use the Click action to indicate the corresponding field (username or password) where you want to input the username.

Fetch password from Zoho Vault

Drag and drop the fetch password action(Under the Apps section) into your flow. In the configuration window, enter the exact password name you want to fetch from Zoho Vault. 
Next, we will use a set of actions that will retrieve the encrypted password from vault. 

Get encrypted username and password

1. Create a Custom function to parse the JSON output and get the encrypted credentials. Navigate to the Logic tab, and under Custom function, create a new custom function:

  1. map parseVaultPassword(string secretData)

  2. {

  3. password = secretData.getJSON("password");

  4. username = secretData.getJSON("username");

  5. outputData = Map();

  6. outputData.put("username",username);

  7. outputData.put("password",password);

  8. return outputData;

  9. }

2. Use this function in the workflow, and make sure you map the password data as the input to it.

The output of this function will provide the separate encrypted username and password variables.


Decrypt and input username

Here, we will pass the encrypted username and necessary parameters to the PowerShell script for decryption. 
1. Drag and drop the Open Application action, found under the Windows App category, into your flow.
2. Use the Indicate on screen option to locate your PowerShell application on the desktop machine. 
3. In the Arguments field, use the following commands. Remember to replace the file path with the actual path on your machine. 

-- powershell.exe -NoProfile -NoExit -ExecutionPolicy Bypass -File <replace_file_path> -cipherText "${parseVaultPassword_2.username}" -isShared "${fetchPassword_1.isshared}" -displayValue "NO"

where,
<replace_file_path> - Full path to the DecryptVault.ps1 file on your local machine. (e.g., C:\Users\Demo_user\Desktop\DecryptVault.ps1)
${parseVaultPassword.username} - username output from the parseVaultPassword custom function. (See the screenshot below.)


${fetchPassword_1.isshared} - isshared output parameter from the fetch password action. (see the screenshot below.)

4. Use the Send hotkeys action (from the Web or Windows category) into the flow and configure it (Ctrl + V) to send the paste it into the input field.
5. Add any subsequent actions required for the login process, such as a Click action on the "password " or "Next" button.


Decrypt and input password

We'll need to repeat all of these steps to enter the password into the required field.  
1. Drag and drop the Open Application action, found under the Windows App category, into your flow.
2. Use the Indicate on screen option to locate your PowerShell application on the desktop machine. 
3. In the Arguments field, use the following commands. Remember to replace the file path with the actual path on your machine. 

-- powershell.exe -NoProfile -NoExit -ExecutionPolicy Bypass -File <replace_file_path> -cipherText "${parseVaultPassword_2.password}" -isShared "${fetchPassword_1.isshared}" -displayValue "NO"

where, 
<replace_file_path> - Full path to the DecryptVault.ps1 file on your local machine. (e.g., C:\Users\Demo_user\Desktop\DecryptVault.ps1)
${parseVaultPassword.password} - password output from the parseVaultPassword custom function. 
${fetchPassword_1.isshared} - isshared output parameter from the Fetch Password action. (See the screenshot below.)
4. Use the Send hotkeys action (from the Web or Windows category) into the flow and configure it (Ctrl + V) to send the paste it into the input field.
5. Add any subsequent actions required for the login process, such as a Click action on the "Login" button.

Clear clipboard and continue

For security, the clipboard must be cleared immediately after pasting the password.
1. Drag and drop the Open Application action, found under the Windows App category, into your flow.
2. In the Arguments field, use the following commands.
-- powershell.exe -NoProfile -NoExit -ExecutionPolicy Bypass -File <replace_filePath> -clearClipboard YES  
where, <replace_filePath -  Full path to the DecryptVault.ps1 file on your local machine. (e.g., C:\Users\Demo_user\Desktop\DecryptVault.ps1)

You can now proceed with the remaining steps of your automation flow.

Watch this video below to see the bot in action.