Over a million developers have joined DZone.

Mule ESB + PGP: Pretty Good Privacy

DZone's Guide to

Mule ESB + PGP: Pretty Good Privacy

PGP is a mechanism used to encrypt and decrypt data; Mule ESB can encrypt the message payload or part of a payload using the PGP technique.

· Integration Zone ·
Free Resource

How to Transform Your Business in the Digital Age: Learn how organizations are re-architecting their integration strategy with data-driven app integration for true digital transformation.

Mule ESB is an integration framework developed on the Java platform. It allows applications to connect easily and allows you to deploy on-premises or in the cloud. It also allows you to communicate with different applications, internal and external ; these applications can be anything from application servers to standalone applications within your enterprise or across the internet.

PGP (Pretty Good Privacy)

PGP is a mechanism used to encrypt and decrypt data, providing privacy and authentication for data communication.

PGP is hybrid cryptosystem.


  • PGP first compresses the data
  • It then creates the session key and uses this key data will be encrypted
  • The generated session keys will be used to encrypt the public key of recipient’s key and it will be transmitted with ciphertext to the recipient.


  • The receiver uses a private key to recover the temporary session key from the copy.
  • PGP is responsible for decrypting the conventionally-encrypted ciphertext.

As part of Mule ESB, we can encrypt the message payload or part of a payload using the PGP technique.

Use a public key to distribute to those who will use it to encrypt and send messages to you.

Use a private key to decrypt the messages you receive which were encrypted using the public key.

Generate PGP Keys

You can use a tool such as GPG Keychain Access to create a new set of keys in the application (see screenshot below) or from the command line.

Note: As part of this article, I’m not explaining the key’s generation; this article talks about Mule Flow for encryption and decryption.


To encrypt or decrypt the message we need to configure some important elements in Mule Flow. This extension adds PGP security on endpoint communication. With PGP you can achieve end-to-end security communication with signed and encrypted.

Security Manager: Security Manager is solely responsible for holding key rings and the encryption strategy to be used. This allows for the encryption of all messages using the same key or to facilitate the use of different key rings.

Key Manager: which is responsible for reading the key rings.

Credential accessor: This bean will  find the key ring and key manager to be used to encrypt/decrypt the message being processed.

    <pgp:security-provider name="pgpSecurityProvider" keyManager-ref="pgpKeyManager"/>

    <spring:bean id="pgpKeyManager" class="org.mule.module.pgp.PGPKeyRingImpl" init-method="initialise">                  
        <spring:property name="publicKeyRingFileName" value="pubring.gpg"/>
        <spring:property name="secretKeyRingFileName" value="secring.gpg"/>
        <spring:property name="secretAliasId" value="${pgp.secretAliasId}"/>
            <spring:property name="secretPassphrase" value="${pgp.secretPassphrase}"/>

        <spring:bean id="credentialAccessor" class="com.pgp.AppCredentialAccessor">
            <spring:property name="credentials" value="${pgp.principal}"/>

Security-Provider: Security provider for PGP related functionality

keybased-encryption-strategy: The key-based PGP encryption strategy to use.

keyManager-ref: Reference to the key manager to use.

credentialsAccessor-ref: Reference to the credentials accessor to use.

Here the ‘pgpKeyManager’ bean is responsible for reading the keys (pubring, secring).

Credential Accessor: Credential accessor is a class which determines your key id. For instance the following class (used in the example) always returns the same fixed string, thus all the messages will be encrypted/decrypted using the same key id.

public class AppCredentialAccessor implements CredentialsAccessor {

    private String credentials = "pgp test (pgp) <pgptest@mulesoft.com>";

    public AppCredentialAccessor() {


    public AppCredentialAccessor(String string) {
        this.credentials = string;

    public String getCredentials() {
        return credentials;

    public void setCredentials(String credentials) {
        this.credentials = credentials;

    public Object getCredentials(MuleEvent event) {

    public void setCredentials(MuleEvent event, Object credentials) {
        // dummy

Mule Flow for Encryption:

<flow name="EncryptFilesFlow">
    <file:inbound-endpoint connector-ref="InputFile"
        path="<<Input Folder  location>>" moveToDirectory="<<TempLocation>>"
        moveToPattern="#[header:originalFilename].backup" transformer-refs="file2Bytes" />

    <encrypt-transformer name="pgpEncrypt" strategy-ref="pgpEncryptionStrategy" />

    <file:outbound-endpoint connector-ref="output"
        path="<<OutPutLocation>>" outputPattern="#[function:datestamp]-#[header:originalFilename]" />

Mule Flow for Decryption:

<flow name="DecryptFilesFlow ">

    <file:inbound-endpoint connector-ref="InputFile"
        path="<<InputFileLocation>>" moveToDirectory="<<InputFileLocationforBackup>>" "
        moveToPattern="#[header:originalFilename].backup" transformer-refs="file2Bytes" />

    <decrypt-transformer name="pgpDecrypt"
        strategy-ref="pgpEncryptionStrategy" />

    <file:outbound-endpoint connector-ref="output"
        path="<<OutPutLocation>>" outputPattern="#[function:datestamp]-#[header:originalFilename]" />


Related Refcard:

Build and deploy API integrations 7x faster. Try the Cloud Elements 100% RESTful platform for 30 days free. Access your trial here.


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}