How to Encrypt and Secure Properties in Mule 4
Main points:
- Secure properties are encrypted using a command line tool
- Special prefix used to identify encrypted properties
- The Secure Config Properties module must be added to the application
- Encrypted properties can be hidden from view in CloudHub
Encrypt properties
Application properties often include sensitive data such as passwords and API keys which should be encrypted to prevent security related issues such as unauthorised access and data breaches. Mule 4 provides a mechanism for encrypting properties and storing them in a dedicated secure property file.
Setting up a property file
There are three parts to configuring a Mule property file:
- The file in which the property’s keys and values are defined
- The global element “Configuration Property“
- The property placeholders in the application’s configuration
To learn more, read the How to configure Property Files in Mule 4 blog post.
How to encrypt and use secure properties
- Create a property files containing the properties you want to secure
- Pass the property file to the Secure Properties Tool
- Provide the Mule application with a secure properties configuration
- Add the Secure Configuration Properties module to the application
- Use the secure properties in your application
- Hide properties from view in Runtime Manager
Create a file containing properties to secure
The properties file can be either a YAML file (.yaml
) or a Spring-formatted properties file (.properties
). The best practice is to create the file in the src/main/resources
project directory, this directory is on the class path. It is common to use a post fix to clearly identify that it contains secure properties, such as -secure
.
In the figure 1 the property file dev-secure-properties.yaml
includes the properties to be encrypted.
db: password: "Password123" sfdc: api-key: "QWERTY123456"
Figure 1: Property file containing properties to encrypt
Pass the property file to the Secure Properties Tool
Download the secure property tool to the root of Anypoint Studio’s workspace. This tool is a Java archive that takes as parameters the location of the property file and some encryption configurations. It outputs a temporary property file containing the encrypted properties.
java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool file encrypt Blowfish CBC encryptKey123 {project-dir}\src\main\resources\dev-secure-properties.yaml temp.yaml
Figure 2: Configuration of the secure property tool
The configuration of the secure properties tool includes the file to encrypt, the encryption algorithm and mode and the encryption key. Visit the parameters reference for a summary and definition of all acceptable parameters.
When this command is executed on the command-line the properties file ({project-dir}\src\main\resources\dev-secure-properties.yaml)
is encrypted using the encryption configuration (Blowfish CBC encrytKey123
) and outputted to the temp.yaml
file.
db: password: "![1rReggJpeXJt2xSatBSCVQ==]" sfdc: api-key: "![nICTxGKlef+z9S1pOmCLug==]"
Figure 3: The encrypted properties in the temp.yaml file
Copy these encrypted properties into the dev-secure-properties.yaml
file.
Provide a secure properties configuration
The property file must be configured in the application’s global elements secure properties config and the encryption settings used in the secure properties tool (above) must be specified.

Add the Secure Configuration Properties module
The secure configuration properties module is added to allow for the decryption of the encrypted properties. It is added most easily directly to the project POM.xml
file.
<dependency>
<groupId>com.mulesoft.modules</groupId>
<artifactId>
mule-secure-configuration-property-module
</artifactId>
<classifier>mule-plugin</classifier>
<version>1.2.3</version>
</dependency>
Figure 5: The secure configuration property module Maven coordinates
Use the secure properties in your application
To use a secure property it must be prefixed with secure::
as shown in figure 6 below.
${secure::db.password} ${secure::sfdc.api-key}
Figure 6: Using secure properties
Hide properties from view in Runtime Manager
The secure properties can be hidden from view in Anypoint Platform’s Runtime Manger read my blog How to Hide CloudHub Properties? to find out how to do this.
Leave a Reply