Property Encryption and Masking in Mule 4

Author: Priyanka Paul

Properties in Mule 4 can be encrypted to keep our sensitive data like ClientID and Client Password secure. Secure property module provided by MuleSoft can be used to encrypt a .yaml or .properties file. Generally, in properties files we store information like Client id, Secret, UserId, UserPassword, Splunk Tokens, Oauth Token, AWS Keys, etc. 

We need to encrypt the data inside any property file to restrict unauthorized access and to protect the data. 

Let’s discuss how to achieve this using MuleSoft’s Secure Property.

Creating Secure Properties can be done in three steps:

Step 1: Create a configuration properties file.

Step 2: We can encrypt the whole file or encrypt individual property. For individual property, we can define secure properties in the file by enclosing the encrypted values between the sequence ![value].

Step 3: Configure the file in the project with the Mule Secure Configuration Properties Extension module dependency. The file must point to or include the decryption key.

Create a Configuration Properties File

The first task in securing configuration properties is to create a YAML configuration file (.yaml) or a Spring-formatted Properties file (.properties), where you define the properties in src/main/resources in your Mule project. The Mule Secure Configuration Properties extension module enables you to configure YAML or Properties file types.

Refer to the below artifacts for more information.

Open Anypoint Studio -> Go to Project Folder -> src/main/resources ->Select Create New file(File extension can be either .yaml or .properties)

The following test.yaml, dev.properties files contain non-encrypted configuration properties values:

test.yaml (sample yaml file)

http:
  port: "8081"
username: "Priyanka@pp"
password: "1254343654pp"

dev.properties (sample properties file)

encrypted.value1= sfdsgfdgfj1234566
encrypted.value2= xyz123568abc

testPropertyA=testValueA
testPropertyB=testValueB
How do we define Secure Configuration Properties in the File?
1. Adding the Premium Security Connector in AnyPoint Studio:

Open Anypoint Studio -> Go to Help -> Select Install New Software 

Click the Add button and it will open a window. Provide Name as: Anypoint Enterprise Security and provide Location as: http://security-update-site-1.4.s3.amazonaws.com and press Ok.

Go to the work drop down and check Anypoint Enterprise Security- http://security-update-site-1.4.s3.amazonaws.com in the dropdown list. 

Select it and select the Premium checkbox -> click Next – accept policy and finish.

Now go to application and right click on dev.properties and go to -> Open with -> Mule Properties Editor. Now your property file is open in table editor view.

Double click on any key. It will open a new window. Now, press the button Encrypt. In the next window, specify the ‘algorithm’(Algorithm used to encrypt/decrypt the value example- AES, Blowfish) and provide an encryption key(key size must be at least : ’16’ if it is AES algorithm) to encrypt. Press the OK button.

Similarly, you can encrypt the rest of the properties and open the file with a text editor.

Note: We cannot encrypt the yaml file this way, as after the encryption process all the property key alignment will be rearranged.

But, encryption of YAML file can be achieved using Java encryption JAR.

2. Encrypt Properties Using the Secure Properties Tool(jar)

Download Secure-properties-tool.jar and put it into any folder location. Put the unencrypted yaml file in the same location.

Use the following syntax to encrypt or decrypt all the content of a properties file:

String level-------
java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool
string <operation><algorithm><mode><key><input property>

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool string encrypt Blowfish CBC 123456789 PriyankaPaul

File/file level--------
java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool
<method><operation><algorithm><mode><key><input file><output file>

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool file encrypt AES CBC 1234567812345678 dev-properties.yaml dev-out.yaml

Example of file encryption:

3. Final step is configuring secure property module and dependency in project

Add the secure property module in your project and configure the same. It can be downloaded from exchange also.

Maven dependency:  

<dependency>
<groupId>com.mulesoft.modules</groupId>
<artifactId>mule-secure-configuration-property-module</artifactId>
<classifier>mule-plugin</classifier>
<version>1.0.0</version>
</dependency>

File: Property file name 

Key: encryption/decryption key. This token will be passed in runtime configuration as program argument. For example: -Dtoken=1234567812345678

Define the correct Algorithm and the mode used for encryption.

Use of Secure Property in Project

In any global configuration, you can use this secure property as ${secure:: property.name}.

In dwl we can also use secure property as p(‘secure:: property.name’).

In this below example, we used http port as ${secure:: http.port} and decrypted_username_value: p(‘secure::username’).

Please note that the decryption process will be done implicitly by the Mule Runtime engine and this requires only the Key (passed as VM argument) which was used to encrypt the Password and Voilà you’re done!


How to mask properties in runtime manager?

The secret key used to encrypt/decrypt our secure properties in any application can be set as a hidden property in mule-artifact.json file using secureProperties key.

In Project folder -> mule-artifact.json 

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.