AES is a symmetric-key algorithm, meaning the same crypto keys used to encrypt the passwords before persisting them at vRO server side are also used to decrypt the persisted data back as plain text when needed (eg. when trying to establish a connection to AD server).