Skip to content

Encryption

Issues with Secure Properties Placeholder

Encrypting properties is something that is typically done using Secure Properties Placeholder.

However, one issue with that approach, is that when Secure Properties Placeholder is used, all Studio metadata for the project will be permanently broken and unusable which will impact developer productivity.

This is caused by a combinations of limitations / bugs in the framework and studio, but the short version is that there no workaround at time of writing this documentation.

So because of this we've added encryption / decryption support to this connector in a way that doesn't break studio metadata.

Key generation

Before you can encrypt properties, you will need to generate a key. You will need to do using Enhanced Mule Tools by running this command:

mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:1.4.62:shell -Dcmd="keygen"

which will return something like:

[INFO] Error stacktraces are turned on.
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- enhanced-mule-tools-maven-plugin:${version}:create-encryption-key (default-cli) @ standalone-pom ---
[INFO] Mule Encryption Key: aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.346 s
[INFO] Finished at: 2020-12-02T19:40:18-08:00
[INFO] ------------------------------------------------------------------------

Alternatively if you want just the key to be out to the stdout, use:

mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:create-encryption-key -q -DforceStdout

which will just return something like:

aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68

Also you can do the same thing using the Enhanced Mule Tools command line:

emt keygen

or to write the key to a file:

emt keygen key.txt

To automatically register that key in your local workstation configuration, use the --save flag. ie:

emt keygen --save

As a technical note, the key generated is an AES 256 key base64 encoded.

Other types of keys can be generated, see KryptoTek Core for more details.

RSA Encryptioon / Decryption

It's also possible to generate an RSA instead of an AES key by using the -r option:

emt keygen -r

This will return two keys as shown below

Private Key: rsa:TUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUFva0w1em9BdFUxbStSQlh6aSt1UUJzRVkyeHdQQkp0NVlGa0RsNVpBV0M2VGMxOUZlRy9ILytwNEZnWmJBbWNDUDQ3Y1ovbUE5U1ZEWGdpSWp4TlJ2UW5xU0VyTFliVWxHVW5rODlrVXkwRjJ6M1U4VVZtY1hHQU0wYlVsTUIzMkhJQkUxd1NYK3hSNGlSUHhoNncxVWhWS3RhVjhMQ0xwRUdyakwxa1llSjFMZzhHMU9PN2cvTWxuN01YSkNpdXRPc1gxZ3hZU0cvdUZsSGxUZTNWeHR5K05pd3hoRXozcUxQdmo0LzFzazJ4aVRoSkZUcnJMemNJTlhpd2lQa1BsQjdydlU2empYL1FGNGFneGYxZ2hDck9zNlZmU284T1J4NnJDUGxXQnpMMVlwZmN5ZTRsdHY3ZjdJR0VQVlIwd0JZanRkL3FTSlJXRG15VThHRUVoaVJyVGJteDN3aE8zQjN3SkJ6b1I2TklxajBwYmNZY3UxdExPVDVmOTBTdzlnSnk4aUNONE43S1M4UThQemxUOTBSSEZPeE5rcllOY2NTTElldDJ4L1ZzMVpyanNxVkZaV0sxUldaSmsxeGg3Mk1OVFFKWWdSbGZHK1NsdlRPSFlCdGZvNVNWY2UvMFhlbHJoMlFwRjBCNjFwVnA1Z0dXTUZObjhuZ3Zwbk9QcC9vU1l1ZGhHa2JhRGl1QnVIRlJWWFpta3UxeTZEWk1RWm9BUkh5YmVvQVpCUVFzVWFLR25iNS9xaG00OFFyUjd2Z2RzZVg4R1RYVEZpQzJNUDE1M2VRaUtjaVdmcy9JSTU2cjgvNVY2b09UTzNDZzgyZEdwOHRpZmorekpyOCtjbytoV3lYZURsZ0ZjVkE1MFBlYktSekpObmlvcTNhVjFVT1lIS01mdTAxRUNBd0VBQVEuTUlJSlF3SUJBREFOQmdrcWhraUc5dzBCQVFFRkFBU0NDUzB3Z2drcEFnRUFBb0lDQVFDaVF2bk9nQzFUV2I1RUZmT0w2NUFHd1JqYkhBOEVtM2xnV1FPWGxrQllMcE56WDBWNGI4Zi82bmdXQmxzQ1p3SS9qdHhuK1lEMUpVTmVDSWlQRTFHOUNlcElTc3RodFNVWlNlVHoyUlRMUVhiUGRUeFJXWnhjWUF6UnRTVXdIZlljZ0VUWEJKZjdGSGlKRS9HSHJEVlNGVXExcFh3c0l1a1FhdU12V1JoNG5VdUR3YlU0N3VEOHlXZnN4Y2tLSzYwNnhmV0RGaEliKzRXVWVWTjdkWEczTDQyTERHRVRQZW9zKytQai9XeVRiR0pPRWtWT3Vzdk53ZzFlTENJK1ErVUh1dTlUck9OZjlBWGhxREYvV0NFS3M2enBWOUtqdzVISHFzSStWWUhNdlZpbDl6SjdpVzIvdC9zZ1lROVZIVEFGaU8xMytwSWxGWU9iSlR3WVFTR0pHdE51YkhmQ0U3Y0hmQWtIT2hIbzBpcVBTbHR4aHk3VzBzNVBsLzNSTEQyQW5MeUlJM2czc3BMeER3L09WUDNSRWNVN0UyU3RnMXh4SXNoNjNiSDlXelZtdU95cFVWbFlyVkZaa21UWEdIdll3MU5BbGlCR1Y4YjVLVzlNNGRnRzEramxKVng3L1JkNld1SFpDa1hRSHJXbFdubUFaWXdVMmZ5ZUMrbWM0K24raEppNTJFYVJ0b09LNEc0Y1ZGVmRtYVM3WExvTmt4Qm1nQkVmSnQ2Z0JrRkJDeFJvb2Fkdm4rcUdianhDdEh1K0IyeDVmd1pOZE1XSUxZdy9YbmQ1Q0lweUpaK3o4Z2pucXZ6L2xYcWc1TTdjS0R6WjBhbnkySitQN01tdno1eWo2RmJKZDRPV0FWeFVEblE5NXNwSE1rMmVLaXJkcFhWUTVnY294KzdUVVFJREFRQUJBb0lDQUVyd20rY2ZrODkzRjBUaXpvVEUydFFEd3JNUGxuQU9UbFNOUi9kdTBYRG9zZmtLKzA3UWNaSmtlK25RTGFCQ2F1dG4wNnZCdENtRWVFU3B0RWhBSi9RaTdDMVBQZmQyYmhmcjVPNHFTRXhIZzlQMDFWTE5ERVl0cGo0RVo1UjlnZmxQMUh0cUI3ZFNrUWplU1NMY0NoUksrU0pEdDhHNnJlR0RQRUhWNkZOc2NqLzc2dkxNZ09TL01GeE9UTGVCekpQa2NhdUZPZi9xZnB0QUhhcGJaNVd2UkxQL2w2WUhabXc0T2R4R1l5c0RWN092Qkl1RUFqU1pkd3NUWHcxYTFpQm4yYmpQbElQd2MvYndjMHZaTEFtQlNrN0szT0g5cFFxT2R2L0xCaFBGTDNnWFh4MW5MMlRvVi9kd1hHQjNCb0xINXNVTzJRaC9relRJVWFUeUQ4WkE1MVN1c3hLclZxOENVOXZxWWtaRVg3a2tVTndzdDc1SUFxdTg3b1BsdzVieCtaUWNHd1lsTlZ5T3IwWTdEbXR3VXpNamNJMDE2dGgrV256U2QydzlhRUtoL1lZeGtaSGJuRDcxZ2dmejJkUUZOb2c2S3NlbTRnbGlIM2tuK0Vtd0NBZ2ErUnhwSCt2VTh6ZnMxd1BNaFkycXNIbnNERVRIbkN6VUZaK2FBeCtYRnM4MHpCNXo1enpiVUtCejh6SU4ydExHZktrWFBNdmdzWlV6dUl3SDB6WWovNzNOMVVzcmJ4d2FPSVlxbk51YUN3THJvcGwwelFIVkJya1lna1RocWZGQzVhWlBFZjkzTVNBemxrdUkzMUp4QWJjVndjTkJwTEVuU01lcEgrNC96bE9JbW9zTGgvcHFvcllqRzFxa0gzR1JpbGlkVEo1d1RMaGp2MVF4QW9JQkFRRG55U3J4V1VmRVJyS3hrU0dHQUxFUmhnTTdSNzV0dGRabkZMNXE5TUNuZjZEUGJZQzNMN2pLZmNyUG9RaEM2M2ErZVN1eEZseGNxRjEwSEVVNHZZLy9QQzhCMEFzRHEvN2l1TDJCKzNMMzVreStOaHh3dXNKWXd1TmRLOXdVMEVILzJzbm5hTGdNMEVJaGJJdEN4WE1RREFZVTVDUWJKeC9aSEFrSWdSalFXTUk2NE5tMlI5dXd4MWZxY0hkV0k0Q3Bwb1ZlYStUZENrZ1JwUnBTdlo0Q1VDdTRaMW1ybHV3cGtLeFFHT0RaUlAzenNRc2JWRCtBSnVOSzdFQjREdmZWeFlpVGhKa1VoYS9PWC9IU0kzZm1seWswbFlVWXFKWU03Y2tzVGpGZUs1YjZITVphZkRvVFJveEZENmwxdkJqM2ZiMjFyWVYvWExralMxbUhZOC9iQW9JQkFRQ3pObmVxU0J5L05KRE1lVlZDYVBoZFREd3U3YzM3WFJsMU9TNGZMZTcwcU1xY1NISzRsR1RKZURuTlFROWxqN1cydlA0czdFMkNwK2svZW53YlFwYUdVMms1bU5nNjNucDJWc0NuajRwT2d3SXpQT1Y4SmQwcE1HYlNjb0Y3L2h6di9qUmpEZjFkYWlBUHlVeVBsbXA5L1VTYU5mT2MyeWZybHVUcmtnZURiSHM2bS9xeGk4c0lCWGlIcDY1K251STlkWFhTVkdNMHRKZm4vNlJNSlp4cTNNU2J6WTROSlJ1eU5uZjJZYURTdzZ3R1IzTTBkRlpiOC9HaGZ0TEJ4a1hUUmg5YTV4aXBBUXhwbmRaR0pPMnBDbDhEbGpZdGVvbDFNRkNkSlhobnM2S3JWbStWd1NEeDRlYWVXYVZYZ0JNOHA3UjNYYkdyUHJCWkhyblZSRmREQW9JQkFRQ252akdDeXc4aUg5d1FuNnk0TXVYeWZaNzNGdHZjd0IwektwTUlDcXNtVFRwUEE3dUVWMWdQeTJ1c1Nha1Y3UnhaaW8yeE1qS1RxQkZDQjNlZE1hcjFsMU9acHp0aFkrY3BvM01hajZSTGZmTUtNVlR4ekdiOEg4YTExaGtIUXhTUW1vRkdKTVlXRjkzVUhKN0lLdWN6dE0vdDdKR295TzdHakFDSmxBd21OQ1lVd0VjdklPQUFGclFzYVVva0g3dHNpNk8zaXJQdHVCUWlHTzlzOCtkWFd6ZlkwNHJVb0h1M05RbFBTa0huVzRQQ0NkMjA0SXE0THV5TmUxN0l4R1JkNUFBTWFvanlqakdHVkc5SW1meWE5OGlOVXF3cEJWRGFlSGYveFhMNjZPYnhpVU9QbHBuYysxQm1ab2hJT1dHRU13N0pYWlBnY1hWVzhxQVBXSS9EQW9JQkFRQ1R5T3JOaFVJUGV5MmRNTUZhVG0zaG9paFBHdE90NFl4STJxcHFFOXJsN3Z1Ri9VaDlaZ0huRWptNFJWcUpDZ1Z6ZUU2eWhQczJMM2x0VzNoVWtvakdwS28xVVJHZkdqQXF2a2VJNWhuTHZNVm5zMlFiQ0s1a2RRR1ZzYytOakhRWWhLeDJzdWFvemdjNmZXbWhUd3pxY0p6Ti9vZXlaaGQ1YzZtN2lXU2d3Q2l1b0VvUGQ1UXFQVGl6eFZka0cybTkvTXI0YzVhTHRCRkF3OU9jNTdjaGVJUzVacjBwb2R4QkRpSEhENk1ycXlpRTFRN3Z4ckFnaS81S2l1Y0ozSk5nTW9kUTB4bkc1Skp6MWpFSkR4TGRQeXd6TFAvb2FSQkpqMW9xL09kWnZRejc5Zjkyb3hpajN3SHF1MHBaNmNmelVPakZOb0o1RU8wajBPNjJLL0U1QW9JQkFIRjg0Mk5CSWJPOTloREdWYmVKcU1FOSsyYVB5SGZWNlZ2eE1Wb2NhR2RoUDcxenFnUHVkMGVVemNhRWRGeDdTVEVKbFNZZ01Bb3JETWFpRkxXbTlMeFp3cS9DL0JUUlRXREtUamh0ZWpKd0R2eWFhL0FMRW5nRHYvbVBaL00ybnpFd2xVTVJ5Rjh6TjYyaDlwMFdqc3J0WkkzY1VwVzhKWjArRVlJK0tpeHZhRFpJaU1MeUg1Mk10ZUFhdzFkNFVQc1YrQU9iTlRPZmlzWVFleFRVOEJJRktJSGlPTmFjUXZ1SGpTYkpRdHRxa0JzcmpYTGRNU1p3bng0aTkvZ3ZDRWtXVzUxK1RENm04ajVnRGcwN0Q2NXdpcjRMeDhmZVMwQlZhaHVQOUFyak1YeU8yM1FrUkg5Z1hYd2llUURsRE16Z1YwbXh6U0N5c0Y5amNNQ3ZuL3M
Public key: rsa-pub:MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAokL5zoAtU1m+RBXzi+uQBsEY2xwPBJt5YFkDl5ZAWC6Tc19FeG/H/+p4FgZbAmcCP47cZ/mA9SVDXgiIjxNRvQnqSErLYbUlGUnk89kUy0F2z3U8UVmcXGAM0bUlMB32HIBE1wSX+xR4iRPxh6w1UhVKtaV8LCLpEGrjL1kYeJ1Lg8G1OO7g/Mln7MXJCiutOsX1gxYSG/uFlHlTe3Vxty+NiwxhEz3qLPvj4/1sk2xiThJFTrrLzcINXiwiPkPlB7rvU6zjX/QF4agxf1ghCrOs6VfSo8ORx6rCPlWBzL1Ypfcye4ltv7f7IGEPVR0wBYjtd/qSJRWDmyU8GEEhiRrTbmx3whO3B3wJBzoR6NIqj0pbcYcu1tLOT5f90Sw9gJy8iCN4N7KS8Q8PzlT90RHFOxNkrYNccSLIet2x/Vs1ZrjsqVFZWK1RWZJk1xh72MNTQJYgRlfG+SlvTOHYBtfo5SVce/0Xelrh2QpF0B61pVp5gGWMFNn8ngvpnOPp/oSYudhGkbaDiuBuHFRVXZmku1y6DZMQZoARHybeoAZBQQsUaKGnb5/qhm48QrR7vgdseX8GTXTFiC2MP153eQiKciWfs/II56r8/5V6oOTO3Cg82dGp8tifj+zJr8+co+hWyXeDlgFcVA50PebKRzJNnioq3aV1UOYHKMfu01ECAwEAAQ

The private key can be used to both encrypt AND decrypt properties.

The public key can be used ONLY to encrypt properties.

A typical use of RSA keys would be to provide the public key to developers, allowing them to encrypt properties but not to decrypt properties.

Key usage

In order to use key encryption, you should the key using the system property em.config.key

To set the key in a developer workstation, you need to set the key in a configuration file.

To do it using Enhanced Mule Tools, use the CLI command:

emt config

It will search several locations for this file in the order shown below. If multiple files are found, the first found will be used ( ${user.home} represents the user home directory ).

  • enhanced-mule.config.json Under the current path
  • ${user.home}\.enhanced-mule.config.json
  • ${user.home}\.enhanced-mule\enhanced-mule.config.json
  • enhanced-mule.config.json in the application classpath

This file at it's simplest can be just as this example below

{
  "cryptoKey": "aes:YZIIrypmsqArAiCUaD1aHl4NvuHdgKSuYePYSiw911w"
}

Alternatively it is possible to have multiple profiles by using the following format. If using profiles, it will pick the profile set as the "default" profile.

{
  "default": "primaryProfile",
  "profiles": {
    "primaryProfile": {
      "cryptoKey": "aes:YZIIrypmsqArAiCUaD1aHl4NvuHdgKSuYePYSiw911w"
    },
    "otherProfile": {
      "orgs": ["9b317203-7b79-41f7-b3c7-59566ad03b5a","My Business Org"],
      "cryptoKey": "aes:I35FWGq1zKeV5BBH3+Q4pBN9x4KszQFehI9B5RDGhzw"
    }
  }
}

When profiles are used, it will attempt to find a profile that has a matching 'org' entry for either the org id or the org name, and if any is found it will use it. If no org match then it will use whatever profile is set as "default'.

So in the above example, if the application is deployed in an organization which name or id is 9b317203-7b79-41f7-b3c7-59566ad03b5a or My Business Org, then it will use the profile 'otherProfile'. If that is not the case then it would use the profile primaryProfile.

It will use the key under the profile that is specified as "default", so in that example the first key will be used (aes:YZIIrypmsqArAiCUaD1aHl4NvuHdgKSuYePYSiw911w)

Property encryption / decryption

In order to encrypt property files, you need to use Enhanced Mule Tools ( using maven or CLI ).

To encrypt all secure properties (run this command from the root of your project were pom.xml is located), using the key saved in your configuration file:

# Encrypt all properties in project using maven
mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:encrypt

# Encrypt all properties in project using CLI
emt encrypt

# Encrypt all properties in project using maven
mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:encrypt

# Encrypt all properties in project using CLI
emt encrypt

# Decrypt all properties in project using maven
mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:decrypt

# Decrypt all properties in project using CLI
emt decrypt

# Encrypt a property using maven
mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:encrypt -Dkey=aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68

# Encrypt a property using maven
mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:encrypt -Dkey=aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68

# Encrypt a property using CLI
emt encrypt -s aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68 -v examplevalue

# Encrypt a property using CLI with key in a file
emt encrypt -f mykey.txt -v examplevalue

To decrypt a string use:

# Encrypt all property value files using maven
mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:decrypt -Dkey=aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68
# Encrypt all property value files using CLI
emt decrypt -s aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68
emt decrypt -f mykey.txt

It is also possible to encrypt/decrypt a single value using the following syntax:

# Encrypt a property using maven
mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:encrypt -Dkey=aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68 -Dvalue=examplevalue
# Encrypt a property using CLI
emt encrypt -s aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68 -v examplevalue
emt encrypt -f mykey.txt -v examplevalue
# Decrypt a property using maven
mvn -e com.aeontronix.enhanced-mule:enhanced-mule-tools-maven-plugin:${version}:decrypt -Dkey=aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68 -Dvalue=beI3_cmarrhzGCdy2WwDq1FR1EIfQ99YwCxs-X6_cdw
# Encrypt a property using CLI
emt decrypt -s aes:NQU0l5/nyadFhFGAVY1fB+sdV2V0R37GN6a28eTkO68 -v beI3_cmarrhzGCdy2WwDq1FR1EIfQ99YwCxs-X6_cdw
emt decrypt -f mykey.txt -v beI3_cmarrhzGCdy2WwDq1FR1EIfQ99YwCxs-X6_cdw

Encrypted properties in Runtime Manager

Unlike secure properties, it is possible to set encrypted keys in runtime manager. However due to technical limitations, when setting the key in runtime manager, a '*' must be appended to the property key name.

For example to set encrypted property named 'my.secret', you need to add to runtime manager:

my.secret* = {{encrypted::beI3_cmarrhzGCdy2WwDq1FR1EIfQ99YwCxs-X6_cdw}}