PGP (Pretty Good Privacy) with Mule

- Anil Kumar. V

1

PGP in a Nutshell

What is PGP PGP - Pretty Good Privacy, was created by Phil Zimmermann, is a data encryption and decryption program for data privacy communicated between the two parties.

PGP works by encrypting a message using a public key that’s tied to a specific user; when that user receives the message, they use a private key that is known only to them to decrypt it. How secure is PGP While it is impossible to say any encryption methodology is safe and secure, PGP is generally considered as being extremely safe and secure. Bruce Schneier, an internationally renowned security technologist, stated PGP is the encryption methodology that is closest to get military-grade encryption and there are no practical weaknesses.

2

3

How PGP can be used with Mule and where?

Mule supports security with Anypoint Enterprise Security module. First thing, we need to make sure to install the Anypoint Enterprise Security module in Anypoint Studio i.e., Mule IDE. In order to add Security module to Anypoint Studio, please follow the instructions here.

Once the Anypoint Enterprise Security module is installed, you should see a new palette group called Security in the studio like this

4

Encryption Module

Mule can encrypt the entire payload or specific part s of the payload depending upon the encryption strategy. Mule supports 3 encryption strategies;

Note: PGP is generally considered as being extremely safe and secure over JCE and XML Encrypter’s.

Encryption Strategy Name CharacteristicsJCE Encrypter (Default) • Encrypts Stream, byte[] or

String type of payloadXML Encrypter • Encrypts String type of

payload• Encrypts full payload or partial

using xpathPGP Encrypter • Encrypts Stream, byte[] or

String type of payload• Adds the processing overload

5

Lets consider a small use case to demonstrate on how to implement PGP encryption in mule with ‘Encryption Processor’

Use case:In this article, we will be implementing a flow which will fetch data from a database table and then send the data to a queue in Active MQ, encrypt the data before sending it to queue.

Components used in this use case:• HTTP To trigger the flow• Database Fetch the data from database• JMS Enqueue/Dequeue messages• Encryption PGP Encryption to encrypt the data • Object to Byte

ArrayConvert payload object into byte array for PGP to process

• Byte Array to Object

Convert payload from byte array to object after PGP process

• For Each Iterate over the database results

6

Create new project viz., pgp_test create project in Anypoint Studio, by selecting the top menu bar select File > New > Mule Project

7

After project is created, create a flow with the following components and transformers in the same order:

Flow should look like

1. HTTP URL : http://localhost:8081/pgptest

2. Database Configure to select data from a simple table, something like Employee table in your local/remote db

3. For Each

4. Object to Byte Array

5. Encryption Refer next slide/page

6. JMS Point to a queue viz., ‘employee’ in your local Active MQ

8

Lets see what is required to configure the ‘Encryption’ module in detail:

1). Configure the Encryption module to use the PGP_ENCRYPTER as per below

2). Add a Global Encryption Configuration by clicking on the Connector Configuration + icon under Basic Settings and set the value to PGP_ENCRYPTER for Default Encrypter as shown below

9

3). Select the ‘Pgp Encrypter’ tab and select the ‘Define attributes’

What is a key ring? In secure data-transmission, a key ring consists of a public key and its corresponding private key both of which are required to read the data.

You can use my Public Key Ring & Secret Key Ring files and use them in the flow. If you intend to do so, set the rest of the values as follows:

Secret Alias Id : 8923421754335606047 Secret Passphrase : mulepgp Principal : mulepgp

10

4). If you prefer to generate your own key ring files, you can make use the gpg command-line utility.

GPG Keychain Access for Mac OS Gpg4win for Windows

This screenshot shows how my keys were generated using the gpg command from Windows. Note that the pubring.gpg and secring.gpg key files will be created in a hidden directory called `gnupg` under the user home directory. On Windows, this will be in C:\Users\<username>\AppData\Roaming\gnupg.

The Principal will be the USER-ID which is a combination of the Real Name, Email Address and Comment. To keep it simple, you can just use choose a simple Real Name and leave email and comment blank. In my example, I simply set the Real Name to `mulepgp` and the Secret Passphrase to `mulepgp`.

Determining the numeric value for the `Secret Alias Id` is not obvious. The GPG utility does not show this numeric value. The best way to derive this is by letting Mule give you some clues. Put any random number initially for the `Secret Alias Id` and run it to let Mule throw an error on purpose. In the exception thrown from the console output, it will show you a message with the keys you can use.

Thanks Mariano Gonzales for the above tips

11

5). Okay….. We did talk too much isn’t it? Now its time to test the talk

Run the flow as Mule Application….. Check the console for successful application deployment

6). Open Postman or something similar then type the URL, http://localhost:8081/pgptest with GET method

12

And notice the console messages for before and after encryption, that’s it guys…. Its pretty simple to encrypt message using PGP in mule… isn’t it?

Complete flow is available for download

13