top of page

Cryptography Module Mule 4 - Part 1 (PGP Encryption/Decryption)

GitHub repository with the Mule project can be found at the end of the post.

Mule 4 has a Cryptography module which includes these 3 different strategies:

  • PGP

  • XML

  • JCE

In this article, we will see the PGP technique.


Pretty Good Privacy (PGP) is a cryptographic way that allows secure communication between two entities. It uses the public and private key concepts to encrypt the data as shown in the below diagram.


1. Install the Crypto Module from Exchange, located in the Mule palette.

Note: Here is the reference documentation on how to install new modules to your Mule Project: Adding Modules to Your Project.

2. Create private and public keys

Please follow the below steps to generate a public/private key pair:

  • Download and install the GnuPG from this link.

  • Install Kleopatra to use a Graphical User Interface (GUI).

  • To generate the keys, click on “New Key Pair” and follow the instructions on the screen.

  • Once the keys are generated, export them to the file system.

  • The generated files are of ASC format, which is not supported by Mule yet, so we need to dearmor the keys first. Run the following command: "./gpg --dearmor <PATH_TO_YOUR_ASC_FILE>" for each of the keys. This command will create new files alongside the ASC files that will have .gpg appended to their filename which are supported in Mule.

This is what you will get after following the previous steps:

  1. Public/Private keys

  2. Fingerprint

  3. Passphrase

  4. KeyId

Mule Code Implementation

We will limit our scope to PGP encrypt/decrypt operation in this article.

Global configurations

Create 2 global configurations:

  • Encryption – Configure public key, keyId, and fingerprint.

  • Decryption – Configure private key, keyId, and fingerprint.

**For projects: you should have these 2 configurations in different projects and all fields should be read from property files. The passphrase should be treated as a secure property.


1. Encryption/Decryption of entire payload


**To log or use payload in the next processor, convert the encrypted stream to a base64 data type.




2. Encryption/Decryption at field level

This is a very common non-functional requirement where sensitive fields should be encrypted.

For this, we can still reuse the pgp-encryption-flow and pgp-decryption-flow flows. The only change would be the way we refer to these flows from the main flow, and for that, the DataWeave lookup function is very useful.


**Used lookup function to invoke the pgp-encryption-flow.





So far we learned Mule code implementation for PGP. You can set this Mule code as a common service that will help to achieve the encryption/decryption non-functional requirement in many APIs.

Here are the 2 ways to set up this Mule code as a common service:

  1. Externalize the flow and publish it on the Anypoint Exchange.

  2. Create a common API, which will encrypt/decrypt the payload.


GitHub repository

2,502 views1 comment

1 Comment

Alex Martinez
Alex Martinez
Aug 18, 2020

Awesome post, Vikalp! Looking forward to part 2 :)

bottom of page