Apisero is now part of NTT DATA - Learn more.

Search
Close this search box.

How To Set Up Kleopatra For PGP Encryption & Decryption Using MuleSoft

Author: Ashutosh Kumar

This blog serves as a guide to enable PGP Encryption and Decryption in a Mule 4 Application and configuring Kleopatra. We will go over how to generate Public and Private Keys with the GPG tool, Kleopatra, and how to encrypt and decrypt messages using the Mule 4 PGP Cryptography Connector.

Prerequisites:
  • Anypoint Studio (Latest version)
  • Kleopatra tool
  • Postman
Introduction:

Encryption involves converting data into a secret code to conceal its actual meaning. This process of encoding and decoding information is called cryptography. In computing, data that hasn’t been encrypted is termed as plaintext, while encrypted data is called ciphertext. The methods employed for encoding and decoding information are termed as encryption algorithms or ciphers. The primary purpose of encrypting data is to maintain the confidentiality of information transmitted over networks and the internet. By utilizing the crypto module in Mule 4, the potential for security breaches in API integration can be significantly reduced.

PGP (Pretty Good Privacy) is a technique employed to encrypt files and emails, ensuring their secure transmission. It shares similarities with other encryption systems like Kerberos, which authenticates network users, and SSL, used to secure websites. PGP provides a way to send encrypted files and emails, ensuring the confidentiality of information during transit.

PGP is a technology that allows you to sign messages, ensuring the recipient can verify both the identity of the sender and the integrity of the content. It involves a private key, which must be kept confidential, and a public key shared between the sender and receiver. GPG (Gnu Privacy Guard or GnuPG) serves as a practical alternative to PGP, being fully compatible and licensed under the GPL.

After installing the GPG tool (such as Kleopatra in this case) and setting up the public and private keys, you acquire the capability to encrypt and decrypt files. For example, you can encrypt a file located iOnce you have installed the GPG tool(Kleopatra in this case) and configured the public and private keys, you gain the ability to encrypt and decrypt files. For instance, you can encrypt a file situatn a different directory, with the intention of sharing it securely with a specific user.

Steps to configure the Public and Private Key using Kleopatra:
  1. Download the GPG tool, Kleopatra, from the provided link: https://www.gpg4win.org/download.html
  1. After downloading and installing, click on “New Key Pair.” Provide your Organization Name and the Authorized Email-Id linked to that organization. This could also be your email address and name. Then, click on “Protect the generated key with a passphrase.”
  1. Once provided, click on “Advanced Settings” and choose RSA with 2048 bits, as we’re generating keys based on that strategy in this blog. Also, select the “Valid Until” date range.
  1. Click OK and provide the passphrase. Then save the generated Fingerprint for the certificate.
  1. Right-click on the newly created certificate and select “Export” to generate the public key for that certificate. Rename the PublicKey as per the standard used for each project, and save the public key.
  1. Afterwards, right-click on the certificate once more and choose “Backup Secret Keys…”. Rename the Private key to be generated according to the project standard, and save it in the same folder as the public key. Then, click OK. Following that, provide the passphrase previously used for exporting the private key.

The Public and Private Keys are now generated and ready to be utilized by the Mule Application.

Steps to implement PGP encryption in the Mule Application:
  1. Create a new Mule project in Anypoint Studio. Click on “Search in Exchange” and search for the “Cryptography Module”. Choose the Cryptography Module with the latest version and add it to the project. After adding it, drag the Crypto module from the “Add Modules” section to the Mule project palette.
  1. Create a package named “pgpKeys” under the resources folder and place the Public/Private Keys within that package.
  1. Now, navigate to “Global Elements,” select “Create,” and search for “Crypto PGP configuration.”
  1. Enter the path for the Public/Private keys, Key Id (the email id used to create the certificate), the generated Fingerprint, and the passphrase used in the GPG tool (Kleopatra). Then, click OK.
  1. Now, add two HTTP listeners, one for encryption and the other for decryption, with paths /encrypt and /decrypt respectively. The HTTP listeners may use the default configuration for the purpose of this Proof of Concept.
  1. For PGP encryption: Drag the “Pgp encrypt” connector from the Mule palette to the flow with the /encrypt path HTTP listener. Set the payload received from Postman in the Transform Message component, and designate “Content” as the payload, “Algorithm” as “AES_256”, “File Name” as Stream, and “Key id” as the email used for certificate generation. Transform the encrypted payload into base64 format to convert the encrypted payload into a string value.
Use the below code to replicate the flow mentioned above:
<?xml version="1.0" encoding="UTF-8"?>

<mule xmlns:ee="http://www.mulesoft.org/schema/mule/ee/core" xmlns:http="http://www.mulesoft.org/schema/mule/http"
	xmlns:crypto="http://www.mulesoft.org/schema/mule/crypto"
	xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/crypto http://www.mulesoft.org/schema/mule/crypto/current/mule-crypto.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/ee/core http://www.mulesoft.org/schema/mule/ee/core/current/mule-ee.xsd">
	<crypto:pgp-config name="Crypto_Pgp" doc:name="Crypto Pgp" doc:id="054a5390-de07-4e5e-8727-402fde939c7c" publicKeyring="pgpKeys/Apisero_Client_Public_Key.asc" privateKeyring="pgpKeys/Apisero_Client_Private_Key.asc" >
		<crypto:pgp-key-infos >
			<crypto:pgp-asymmetric-key-info keyId="Your EmailId used" fingerprint="YOUR FingerPrint generated" passphrase="YourPassphrase" />
		</crypto:pgp-key-infos>
	</crypto:pgp-config>
	<http:listener-config name="HTTP_Listener_config" doc:name="HTTP Listener config" doc:id="f459de3b-57a6-49c4-9132-7d67616b74bd" >
		<http:listener-connection host="0.0.0.0" port="8081" />
	</http:listener-config>
	<flow name="pgp-pocFlow" doc:id="c2e07420-f976-4043-9cd0-15fff0f147a2" >
		<http:listener doc:name="Listener" doc:id="13916525-e837-4045-bc45-4aad08772c17" config-ref="HTTP_Listener_config" path="/encrypt"/>
		<logger level="INFO" doc:name="Logger" doc:id="263e72f9-8e21-4378-a15d-86d531c73016" />
		<ee:transform doc:name="Select the field to be encrypted" doc:id="c07dc553-348d-425b-ab6d-cf634a085f58" >
			<ee:message >
				<ee:set-payload ><![CDATA[%dw 2.0
output application/json
---
payload.message]]></ee:set-payload>
			</ee:message>
		</ee:transform>
		<crypto:pgp-encrypt doc:name="Pgp encrypt" doc:id="62634773-be01-4c8e-9be6-cbde22d6c7d9" config-ref="Crypto_Pgp" keyId="youremailid@domain.com" />
		<ee:transform doc:name="Set Encrypted payload to Base64 format" doc:id="34649e37-0fdc-4dd9-a78e-63c4a91e09d8" >
			<ee:message >
				<ee:set-payload ><![CDATA[%dw 2.0
import * from dw::core::Binaries
output application/json
---
{
	message: toBase64(payload as Binary)
}]]></ee:set-payload>
			</ee:message>
		</ee:transform>
	</flow>
  1. For PGP decryption: Add the “Pgp decrypt” connector from the Mule palette to the flow containing the /decrypt path HTTP listener. Set the payload received from Postman and convert the Base64 format to the actual text message in the Transform Message component. Specify “Content” as the payload, “File Name” as stream, “Validate if signature is found” as True, and select MimeType as application/json. Set the decrypted payload in string format as a response from the flow to Postman.
Use the below code to replicate the flow mentioned above:
<?xml version="1.0" encoding="UTF-8"?>

<mule xmlns:ee="http://www.mulesoft.org/schema/mule/ee/core" xmlns:http="http://www.mulesoft.org/schema/mule/http"
	xmlns:crypto="http://www.mulesoft.org/schema/mule/crypto"
	xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/crypto http://www.mulesoft.org/schema/mule/crypto/current/mule-crypto.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/ee/core http://www.mulesoft.org/schema/mule/ee/core/current/mule-ee.xsd">
	<crypto:pgp-config name="Crypto_Pgp" doc:name="Crypto Pgp" doc:id="054a5390-de07-4e5e-8727-402fde939c7c" publicKeyring="pgpKeys/Apisero_Client_Public_Key.asc" privateKeyring="pgpKeys/Apisero_Client_Private_Key.asc" >
		<crypto:pgp-key-infos >
			<crypto:pgp-asymmetric-key-info keyId="Your EmailId used" fingerprint="YOUR FingerPrint generated" passphrase="YourPassphrase" />
		</crypto:pgp-key-infos>
	</crypto:pgp-config>
	<http:listener-config name="HTTP_Listener_config" doc:name="HTTP Listener config" doc:id="f459de3b-57a6-49c4-9132-7d67616b74bd" >
		<http:listener-connection host="0.0.0.0" port="8081" />
	</http:listener-config>
	
	<flow name="pgp-pocFlow1" doc:id="a2857683-a65e-4ce7-9c72-a9a27b54b0dd" >
		<http:listener doc:name="Listener" doc:id="3173e16e-158e-4569-8a1d-6b5a928b4d3f" config-ref="HTTP_Listener_config" path="/decrypt"/>
		<logger level="INFO" doc:name="Logger" doc:id="4a87d3ed-2e11-4846-97c2-f2478ceccfb5" />
		<ee:transform doc:name="Convert message from Base64 format to encrypted text message format" doc:id="ca18c063-5434-438c-9cea-63fe319e16fc" >
			<ee:message >
				<ee:set-payload ><![CDATA[%dw 2.0
import fromBase64 from dw::core::Binaries
output application/java
---
fromBase64((payload.message))]]></ee:set-payload>
			</ee:message>
		</ee:transform>
		<crypto:pgp-decrypt doc:name="Pgp decrypt" doc:id="1f4f622a-2afc-4f7f-925b-34060b6856eb" config-ref="Crypto_Pgp" fileName="stream" validateIfSignatureFound="true" outputMimeType="application/json">
		</crypto:pgp-decrypt>
		<ee:transform doc:name="Set the response payload" doc:id="5405f6a9-1ab0-40dc-9572-8ab02a080b96" >
			<ee:message >
				<ee:set-payload ><![CDATA[%dw 2.0
output application/json
---
{
	message: payload
}]]></ee:set-payload>
			</ee:message>
		</ee:transform>
	</flow>
</mule>
Responses from Postman after running the Mule application:

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.