News Ticker

How to Encrypt and Secure Properties in Mule 4

Secure properties CloudHub

Main points:

  • Secure properties are encrypted using a command line tool
  • Special prefix used to identify encrypted properties
  • The Secure Config Properties module must be added to the application
  • Encrypted properties can be hidden from view in CloudHub

Encrypt properties

Application properties often include sensitive data such as passwords and API keys which should be encrypted to prevent security related issues such as unauthorised access and data breaches. Mule 4 provides a mechanism for encrypting properties and storing them in a dedicated secure property file.

Setting up a property file

There are three parts to configuring a Mule property file:

  1. The file in which the property’s keys and values are defined
  2. The global element “Configuration Property
  3. The property placeholders in the application’s configuration

To learn more, read the How to configure Property Files in Mule 4 blog post.

How to encrypt and use secure properties

  1. Create a property files containing the properties you want to secure
  2. Pass the property file to the Secure Properties Tool
  3. Provide the Mule application with a secure properties configuration
  4. Add the Secure Configuration Properties module to the application
  5. Use the secure properties in your application
  6. Hide properties from view in Runtime Manager

Create a file containing properties to secure

The properties file can be either a YAML file (.yaml) or a Spring-formatted properties file (.properties). The best practice is to create the file in the src/main/resources project directory, this directory is on the class path. It is common to use a post fix to clearly identify that it contains secure properties, such as -secure.

In the figure 1 the property file dev-secure-properties.yaml includes the properties to be encrypted.

db:
  password: "Password123"
sfdc:
  api-key: "QWERTY123456"

Figure 1: Property file containing properties to encrypt

Pass the property file to the Secure Properties Tool

Download the secure property tool to the root of Anypoint Studio’s workspace. This tool is a Java archive that takes as parameters the location of the property file and some encryption configurations. It outputs a temporary property file containing the encrypted properties.

java -cp secure-properties-tool.jar
  com.mulesoft.tools.SecurePropertiesTool 
  file 
  encrypt Blowfish CBC encryptKey123 
  {project-dir}\src\main\resources\dev-secure-properties.yaml
  temp.yaml

Figure 2: Configuration of the secure property tool

The configuration of the secure properties tool includes the file to encrypt, the encryption algorithm and mode and the encryption key. Visit the parameters reference for a summary and definition of all acceptable parameters.

When this command is executed on the command-line the properties file ({project-dir}\src\main\resources\dev-secure-properties.yaml) is encrypted using the encryption configuration (Blowfish CBC encrytKey123) and outputted to the temp.yaml file.

db:
  password: "![1rReggJpeXJt2xSatBSCVQ==]"
sfdc:
  api-key: "![nICTxGKlef+z9S1pOmCLug==]"

Figure 3: The encrypted properties in the temp.yaml file

Copy these encrypted properties into the dev-secure-properties.yaml file.

Provide a secure properties configuration

The property file must be configured in the application’s global elements secure properties config and the encryption settings used in the secure properties tool (above) must be specified.

secure properties global configuration
Figure 4: The Secure properties configuration dialogue box

Add the Secure Configuration Properties module

The secure configuration properties module is added to allow for the decryption of the encrypted properties. It is added most easily directly to the project POM.xml file.

<dependency>
  <groupId>com.mulesoft.modules</groupId>
  <artifactId>
      mule-secure-configuration-property-module
  </artifactId>
  <classifier>mule-plugin</classifier>
  <version>1.2.3</version>
</dependency>

Figure 5: The secure configuration property module Maven coordinates

Use the secure properties in your application

To use a secure property it must be prefixed with secure:: as shown in figure 6 below.

${secure::db.password}
${secure::sfdc.api-key}

Figure 6: Using secure properties

Hide properties from view in Runtime Manager

The secure properties can be hidden from view in Anypoint Platform’s Runtime Manger read my blog How to Hide CloudHub Properties? to find out how to do this.

2 Trackbacks / Pingbacks

  1. How to Hide CloudHub Properties?
  2. Property Files in Mule 4

Leave a Reply

%d bloggers like this: