Property encryption and masking in Mule 4

Properties in Mule 4 can be encrypted to keep sensitive data, such as client IDs and client passwords, secure by using the property module MuleSoft provides. Use either a .yaml or a .properties file to encrypt.

In properties files, information like client IDs, Secret, user IDs, user passwords, Splunk tokens, OAuth tokens and AWS keys, is generally stored. But to restrict unauthorized access and protect the data the data inside any property files must be encrypted.

This tech article discusses how to encrypt data inside any property file using MuleSoft’s Secure Property.

Creating secure properties takes three steps:

• Create a configuration properties file.
• Encrypt either the whole file or an individual property. For an individual property, define secure properties in the file by enclosing the encrypted values between the sequence ![value].
• Configure the file in the project with the Mule Secure Configuration Properties Extension module dependency. The file must point to or include the decryption key.

Create a configuration properties file

The first task in securing configuration properties is to create a YAML configuration file (.yaml) or a Spring-formatted properties file (.properties), where you define the properties in src/main/resources in your Mule project. Use the Mule Secure Configuration Properties extension module to configure YAML or Properties file types.

Follow the steps below for more information.

• Open Anypoint Studio
• Go to the Project Folder -> src/main/resources
• Select Create New file (the file extension can be either .yaml or .properties)

The following test.yaml and dev.properties files contain unencrypted configuration properties values:

test.yaml (sample yaml file)

http:
  port: "8081"
username: "Priyanka@pp"
password: "1254343654pp"

dev.properties (sample properties file)

encrypted.value1= sfdsgfdgfj1234566
encrypted.value2= xyz123568abc

testPropertyA=testValueA
testPropertyB=testValueB

Define secure configuration properties in the file

1. Add the Premium Security Connector in Anypoint Studio

• Open Anypoint Studio
• Go to Help
• Select Install New Software
• Click Add — a new window will open
• Provide:
  • A Name, such as: Anypoint Enterprise Security
  • A location, such as: http://security-update-site-1.4.s3.amazonaws.com
• Click Ok
• Go to the Work drop-down
• In the drop-down list, select Anypoint Enterprise Security: http://security-update-site-1.4.s3.amazonaws.com
• Select the Premium checkbox
• Click Next, Accept Policy and Finish

Now go to application and right click on dev.properties.

Go to:

• Open with
• Mule Properties Editor

Your property file is now open in table editor view.

Double-click on any key — it will open a new window

• Click Encrypt

In the next window, specify the ‘algorithm’ (the algorithm used to encrypt/decrypt the value example — AES, Blowfish) and provide an encryption key (key size must be at least ‘16’ if it’s an AES algorithm).

• Click OK

You can encrypt the rest of the properties and open the file with a text editor the same way.

Note: You can’t encrypt the .yaml file this way because after the encryption process, all the property key alignment will be rearranged.

YAML file encryption can be achieved using the Java encryption JAR.

2. Encrypt properties using the Secure Properties tool (JAR)

• Download secure-properties-tool.jar and put it into any folder
• Put the unencrypted .yaml file in the same location

• Use the following syntax to encrypt or decrypt all the content of a properties file:

String level-------
java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool
string <operation><algorithm><mode><key><input property>

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool string encrypt Blowfish CBC 123456789 PriyankaPaul

File/file level--------
java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool
<method><operation><algorithm><mode><key><input file><output file>

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool file encrypt AES CBC 1234567812345678 dev-properties.yaml dev-out.yaml

Example of the file encryption:

3. Configure the secure property module and dependency in your project

Add the secure property module to your project and configure it. You can also download it from Exchange.

Maven dependency:

<dependency>
<groupId>com.mulesoft.modules</groupId>
<artifactId>mule-secure-configuration-property-module</artifactId>
<classifier>mule-plugin</classifier>
<version>1.0.0</version>
</dependency>

File: Property file name

Key: encryption/decryption key. This token will be passed in runtime configuration as a program argument example:
-Dtoken=1234567812345678

Define the correct algorithm and mode used for encryption.

Using a secure property in your project

In any global configuration, you can use this secure property as ${secure:: property.name}.

In dwl, you can also use the secure property as p(‘secure:: property.name’).

In the example below, we used the http port as ${secure:: http.port} and decrypted_username_value: p(‘secure::username’).

NOTE: The decryption process will be done implicitly by the Mule Runtime engine, which requires only the key (passed as VM argument) used to encrypt the password. And Voilà — you’re done!

How to mask properties in runtime manager?

The secret key used to encrypt/decrypt secure properties in any application can be set as a hidden property in the mule-artifact.json file using the secureProperties key.

In the Project folder -> mule-artifact.json

— By Priyanka Paul