How to use passwords from Zoho Vault in RPA flows
This tutorial outlines the steps to securely retrieve and use encrypted passwords from Zoho vault within your RPA flows.
We will cover this in two sections:
Initial setup and master key generation: Initial steps required in Zoho Vault to generate the necessary master key for secure API access.
RPA flow setup: Steps on how to use the user name and password within your RPA flows.
Prerequisites
Supported RPA agent platforms : Windows
Required Zoho accounts : Zoho Flow, Zoho Vault
Software Installed : Windows PowerShell
Initial Setup and Master key generation
This is a required, one-time configuration process. The primary goal here is to generate the master key, which is essential for securely decrypting the credentials and using it in your RPA flow.
Register the API client
To generate the master key, we must first make an authorized API request to Zoho Vault. While this request could be made from any service (like Postman), we will use the custom function feature within Zoho RPA to achieve this.
This requires setting up an API Client in the Zoho developer console. An API Client is a set of credentials (Client ID and Secret) that securely authorizes your API request, ensuring it has required access needed to communicate with Zoho Vault.
Follow these steps to create and register the API client:
- Navigate to the developer console using the URL that corresponds to the location of your data center.
https://api-console.zoho.<replace_data_center>/
Data Center: Use .com for US, .in for India, or .eu for Europe. - If this is your first time accessing the console, click Get Started. Otherwise, click Add Client.
- Choose Self Client as the client type. (Note: If you already have a configured Self Client, you may use that one.)
- Define the necessary scopes. Scopes specify the exact permissions for this client. Use the following scopes: ZohoVault.secrets.READ, ZohoVault.user.READ
- Set the code expiration duration for the client (e.g., 10 minutes) and click Generate.
- Download the generated codes.
Generate SALT, Sharing Key (K) and Private Key (P)
The next step is to generate the SALT, sharing key and private key that is required to derive the master key.
1. Create a custom function in your RPA account and paste the following code. Learn to create custom functions
- void fetchOnetimeVaultKeys(string code, string client_id, string client_secret, string dc)
- {
- refreshTokenResponse = invokeurl
- [
- url :"https://accounts.zoho." + dc + "/oauth/v2/token?code=" + code + "&client_id=" + client_id + "&client_secret=" + client_secret + "&grant_type=authorization_code"
- type :POST
- ];
- token = refreshTokenResponse.get("access_token");
- headers = Map();
- headers.put("Authorization","Zoho-oauthtoken " + token);
- getLoginResponse = invokeurl
- [
- url :"https://vault.zoho." + dc + "/api/json/login?OPERATION_NAME=GET_LOGIN"
- type :GET
- headers:headers
- ];
- info "SALT : " + getLoginResponse.get("operation").get("details").get("SALT");
- openVaultResponse = invokeurl
- [
- url :"https://vault.zoho." + dc + "/api/json/login?OPERATION_NAME=OPEN_VAULT"
- type :GET
- headers:headers
- ];
- info "PRIVATE KEY : " + openVaultResponse.get("operation").get("details").get("PRIVATEKEY");
- info "SHARING KEY : " + openVaultResponse.get("operation").get("details").get("SHARINGKEY");
- }
2. Execute the function using the keys (Client ID, Secret, and Code) obtained from the previous step. Ensure the Data Center (DC) value input given to your function is correct (e.g., .com, .in, or .eu).
Note: If you receive an error, your authorization code may have expired. Regenerate the code in the Developer console and execute the function again.
3. Once the function executes successfully, three important keys will be generated. Click the Info tab. Copy and save the keys (SALT, Private key, Sharing key) temporarily.
Derive Master and ORG keys
We will use the keys generated in the previous step (SALT, Private key, Sharing key) to derive the Master key.
- Download the Zoho Vault key derivation HTML file and open it using a web browser of your choice (e.g., Ulaa, Chrome, or Firefox).
- Fill in the form inputs. Enter your master key password and also fill in the keys generated from our previous step.(SALT, Private key, sharing key)
- After filling in the inputs, the master key and org key will be generated. Copy the generated keys from the Decryption section. If the org key is not generated, only the master key is needed. These keys will be required in the next step.
Create PowerShell decryption script
The final step of this setup is to create the decryption script using the keys you just generated.
1. On the desktop machine where your RPA workflow will run, download this PowerShell script file. Rename this file to DecryptVault.ps1
Make sure you fill in your ORG Key and Master Key in the code.
- /*Reference of the code where you need to change the ORG/Master key*/
- $masterKey = "<replace_here>"
- $orgKey = "<replace_here>"
Note: If your ORG Key contains a double quote ("), make sure you use a backtick (`) before double quote (") to escape the character in your PowerShell script.
2. Save the file. Rename it to (e.g.g DecryptVault.ps1) and place it in the location where you need it.
RPA flow setup
This section details how to set up your Zoho RPA flow to securely fetch passwords from Zoho Vault, decrypt them using the PowerShell script (DecryptVault.ps1), and securely input them into a web portal or desktop application.
Setting up this flow is a multi-step process designed to maintain security by keeping the credentials encrypted until the moment we actually use them in the workflow execution. The process involves fetching the encrypted password from Zoho Vault, decrypting it using a local powershell script and using the system clipboard for a temporary and secure input.
The flow first uses the fetch password action to retrieve the encrypted credentials. A custom function is then used to parse and separate the encrypted username and password. For each output (i.e., username and password), the flow executes the powerShell script via the Open Application action, passing the encrypted data string for decryption. The script places the decrypted data directly on the clipboard. The credential is then pasted into the application using the Send hotkeys action. After these steps are repeated for both the username and password a final PowerShell command is run to immediately clear the clipboard to ensure no sensitive data remains exposed.
Let's look at how to implement this process in detail.
Create RPA flow
- Create the required RPA flow, or navigate to the flow where you want to retrieve passwords from Zoho Vault. Ensure the Agent machine that will execute this flow has the PowerShell decryption file (DecryptVault.ps1) ready and accessible.
- Use a Web or Windows actions (like Open Application for invoicegenerator.exe or Open URL for myportal.com) to get to the required login screen.
- Use the Click action to indicate the corresponding field (username or password) where you want to input the username.
Fetch password from Zoho Vault
Drag and drop the fetch password action(Under the Apps section) into your flow. In the configuration window, enter the exact password name you want to fetch from Zoho Vault.
Next, we will use a set of actions that will retrieve the encrypted password from vault.
Get encrypted username and password
1. Create a Custom function to parse the JSON output and get the encrypted credentials. Navigate to the Logic tab, and under Custom function, create a new custom function:
map parseVaultPassword(string secretData)
{
password = secretData.getJSON("password");
username = secretData.getJSON("username");
outputData = Map();
outputData.put("username",username);
outputData.put("password",password);
return outputData;
}
2. Use this function in the workflow, and make sure you map the password data as the input to it.
The output of this function will provide the separate encrypted username and password variables.
Decrypt and input username
Here, we will pass the encrypted username and necessary parameters to the PowerShell script for decryption.
1. Drag and drop the Open Application action, found under the Windows App category, into your flow.
2. Use the Indicate on screen option to locate your PowerShell application on the desktop machine.
3. In the Arguments field, use the following commands. Remember to replace the file path with the actual path on your machine.
-- powershell.exe -NoProfile -NoExit -ExecutionPolicy Bypass -File <replace_file_path> -cipherText "${parseVaultPassword_2.username}" -isShared "${fetchPassword_1.isshared}" -displayValue "NO"
where,
<replace_file_path> - Full path to the DecryptVault.ps1 file on your local machine. (e.g., C:\Users\Demo_user\Desktop\DecryptVault.ps1)
${parseVaultPassword.username} - username output from the parseVaultPassword custom function. (See the screenshot below.)
${fetchPassword_1.isshared} - isshared output parameter from the fetch password action. (see the screenshot below.)
4. Use the Send hotkeys action (from the Web or Windows category) into the flow and configure it (Ctrl + V) to send the paste it into the input field.
5. Add any subsequent actions required for the login process, such as a Click action on the "password " or "Next" button.
Decrypt and input password
We'll need to repeat all of these steps to enter the password into the required field.
1. Drag and drop the Open Application action, found under the Windows App category, into your flow.
2. Use the Indicate on screen option to locate your PowerShell application on the desktop machine.
3. In the Arguments field, use the following commands. Remember to replace the file path with the actual path on your machine.
-- powershell.exe -NoProfile -NoExit -ExecutionPolicy Bypass -File <replace_file_path> -cipherText "${parseVaultPassword_2.password}" -isShared "${fetchPassword_1.isshared}" -displayValue "NO"
where,
<replace_file_path> - Full path to the DecryptVault.ps1 file on your local machine. (e.g., C:\Users\Demo_user\Desktop\DecryptVault.ps1)
${parseVaultPassword.password} - password output from the parseVaultPassword custom function.
${fetchPassword_1.isshared} - isshared output parameter from the Fetch Password action. (See the screenshot below.)
4. Use the Send hotkeys action (from the Web or Windows category) into the flow and configure it (Ctrl + V) to send the paste it into the input field.
5. Add any subsequent actions required for the login process, such as a Click action on the "Login" button.
Clear clipboard and continue
For security, the clipboard must be cleared immediately after pasting the password.
1. Drag and drop the Open Application action, found under the Windows App category, into your flow.
2. In the Arguments field, use the following commands.
-- powershell.exe -NoProfile -NoExit -ExecutionPolicy Bypass -File <replace_filePath> -clearClipboard YES
where, <replace_filePath - Full path to the DecryptVault.ps1 file on your local machine. (e.g., C:\Users\Demo_user\Desktop\DecryptVault.ps1)
You can now proceed with the remaining steps of your automation flow.
Watch this video below to see the bot in action.
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho Writer?
Create. Review. Publish.
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Terminate RPA flows
The Terminate flow functionality allows users to instantly stop or abort running RPA flow executions. There are several scenarios where you might need to stop or terminate an RPA flow that is currently running. This might be due to a critical ...Introduction to Zoho RPA
What is RPA? Robotic Process Automation (RPA) is a software technology that automates business processes by deploying software robots to mimic human-like interactions on applications. RPA bots can interact with any application or system based on its ...RPA flow
What is an RPA flow? RPA flows are like processes or workflows that you can create to automate tasks. An RPA flow is made of a trigger and one or more actions. The trigger initiates the flow, and the actions are the tasks that are executed by the ...Understand your Zoho RPA Account
Key Terminologies Flow A workflow you can create to automate tasks using RPA actions, cloud app integration, and processing actions, such as logic, delay, and send mail. A flow contains a trigger and one or more actions. For example, when a new ...Rerun flows
Zoho RPA provides robust rerun capabilities to ensure the smooth operation of your automated workflows. These options come in handy when tasks encounter errors, allowing them to bounce back and complete successfully. There are two types of reruns ...
New to Zoho LandingPage?
Zoho LandingPage Resources