Encrypted vRA custom properties with vRO – Part I

encryption vra vro

Recently I came across an Interesting customer request,

To be able to automate application installation in vRO, while database connection details will be provided by the end-user.

This being a production system, the requirement was to encrypt details, end-to-end.

While vRA does encrypt connection to vRO and vice-versa, values provided by end user to an IaaS blueprint are saved as is, plain-text. So to pass an encrypted value to a blueprint we need to encrypt the custom property. While using the vRA guest agent does offer a solution Here , vRO does not.

You can certainly use an external tool to encrypt and decrypt passwords passing a plain-text encrypted value as password and then decrypting it in vRO (More on that in Part II).

A simpler solution is to use the built in encryption method in vRA.

Information found in VMware KB #2092330 – Here ,

helped me automate the task of encrypting and decrypting vRA custom properties with vRO.

My Solution uses a Windows PowerShell host running with .NET Framework 4.5.2 and a small PowerShell Script. The IaaS host would be a perfect match.

(Optional) we need to copy two DLLs from the First IaaS Web node (Repository Role)

found in C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data  :

  1. DynamicOps.Core.Common.dll
  2. DynamicOps.Repository.dll

put them in the same folder, since #1 references #2.

in my implementation, I have put them in c:\dlls folder

Screen Shot 2016-08-13 at 13.44.39

The Following scripts provides the magic code

Encrypting (Using Scramble method) :

#dll to load
$dllPath = "c:\\dlls\\DynamicOps.Repository.dll";

#plaintext to encrypt
$plainText = "ExampleTextHere";

#load the dll
[System.Reflection.Assembly]::LoadFrom($dllPath) | Out-Null;

#encrypt plain text
$encText = [DynamicOps.Repository.ScramblerHelpersClient]::Scramble($plainText);

return $encText;

Decrypting (Using Unscramble method) :

#dll to load
$dllPath = "c:\\dlls\\DynamicOps.Repository.dll";

#encrypted value
$encText = "tB4PnHtI8h5qNFz006wBnQ==";

#load the dll
[System.Reflection.Assembly]::LoadFrom($dllPath) | Out-Null;

#decrypt text
$plainText = [DynamicOps.Repository.ScramblerHelpersClient]::Unscramble($encText);

return $plainText;

Now Connecting the dots –

  • In my example I am running the commands on my PowerShell host, so there was no need to provide the credentials again (CredSSP).

Workflow Name : vRA Scramble (/Yaniv/vRA Scramble)

Inputs : PowerShell Host, DLL folder path, plainText to encrypt

Output : Encrypted text.


Creating Script content

outputing text

Workflow Name : vRA Unscramble (/Yaniv/vRA Unscramble)

Inputs : PowerShell Host, DLL Folder path, Base64 encrypted text

Output : Plain Text

Similar to vRA Scramble, we use the same workflow pattern.Screen Shot 2016-08-13 at 18.45.10

You Can download the package here : com.parsingwings.vra.encrypt.package