Many companies use standard protocols such as FTP and SFTP to transfer files to external partner and receive files from external partners. Using FTP and SFTP provides simple to use and low cost platform for file exchange. In some business scenarios, companies may have to exchange sensitive information such as employee’s personal information, expense reports, payment information etc.
Mule has the ability to encrypt a message payload, or part of a payload, using Pretty Good Privacy (PGP). PGP combines data compression and data encryption to secure messages. The compression reduces message transmission time between origin and destination.
There are two scenarios that this document addresses:
- Using another party’s public key to encrypt a messages in a Mule application
- Using one’s own set of private and public keys so as to accept, and decrypt messages in a Mule application.
What is Pretty Good Privacy (PGP)?
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann created it in 1991.
MuleSoft SFTP Connector:
The SFTP Connector implements a secure file transport channel so that Mule application can exchange files with external resources. We can implement the SFTP endpoint as an inbound endpoint with a one-way exchange pattern, or as an outbound endpoint configured for either a one-way or request-response exchange pattern.
Implementation:
Using MuleSoft Anypoint Studio, it is very easy to configure SFTP connection so that Mule application can exchange files. Mule also provides encryption and decryption capabilities.
In this example, we are going to look at how to configure SFTP connector and use data encryption/decryption capabilities. In this example, we will build Mule Application to:
- Read data file from SFTP location
- Encrypt file data
- Write encrypted file contents to SFTP location
- Read encrypted data file from SFTP location
- Decrypt file data
- Write decrypted file contents to SFTP location
I already have public and private key pair to use for this application. Refer following links for more details regarding PGP:
- https://gpgtools.org/keychain/index.html
- https://docs.mulesoft.com/mule-user-guide/v/3.6/pgp-encrypter
Lets begin creating simple Mule Application to address these requirements.
Create Mule Application:
First step is to create new Mule Application using the wizard in Anypoint platform.
Configure PGP:
Once the project is created, we will now configure PGP. In order to configure, go to “Global Elements” section and create sprint beans.
You must have both public and private keys. You will have to configure following properties:
- secretKeyRingFileName : Provide private key file path.
- publicKeyRingFileName : Provide public key file path.
- secretAliasId : This is tricky. Initially provide value as “1” to this property. We will come back to this in few minutes.
- secretPassphrase : Provide the passphrase which you have used while generating public/private key pair.
- pgpCredentialAccessor : Provide the accessor name which is used to browse receiver’s public key ring.
Create PgpCredentialAccessor class, which is a simple class that will provide the credentials the receiver used to generate the key.
Finally, the configuration will look something like this.
Create read-flow:
Now, we will build our first Mule flow to read a file from SFTP location. SFTP_IN connector will read file from the external location. After receiving the file, the flow uses Mule’s encrypt-transformer to encrypt the file data and place the encrypted file in different location. SFTP_ENCRYPTED connector is configured to place encrypted files to external location. Our flow will look something like this:
Create write-flow:
Now, we will build another Mule flow to write a file to SFTP location. SFTP_ENCRYPTED connector will read encrypted file from the external location. After receiving the file, the flow uses Mule’s decrypt-transformer to decrypt the file data and place the decrypted file in different location. SFTP_OUT connector is configured to place decrypted files to external location. Our flow will look something like this:
Determine secretAliasKey:
We will try to run out Mule Application. You will notice that the application fails when you run. Remember we configured secretAliasKey value as “1” in step 2? This is the time to correct the value of secretAliasKey.
Note that, Mule has logged possible key values in console logs. In most cases, second key value from the logs will work but it is recommended to try both the values.
Update PGP configuration with appropriate key value:
Now, lets update out PGP configuration with correct secretAliasKey value. Updated configuration will look something like this:
Now, we will try to run application again. This time you will see that the application started without any issues.
You can now place the file in “/IN/” directory. Our read-flow will pick the file from “/IN/” folder, encrypt file data and place encrypted file in “/ENCRYPTED/” folder.
Next, write-flow will pick encrypted file from “/ENCRYPTED/” directory, decrypt file data and place decrypted file in “/OUT/” directory.
Things to Remember:
- If you are running JDK 1.4+ that comes with the Sun JCE by default, you must install the Unlimited Strength Jurisdiction Policy files (click here for Java 7 and click here for Java 8).