Encrypting passwords in Mule

motif

Jasypt is an open source Java library which provides basic encryption capabilities using a high-level API. This library can be used with Mule to avoid clear text passwords for connectors and endpoints.First, download the latest distribution, unpack it and copy icu4j and jasypt jars to MULE_HOME/lib/user directory.

Then add the following snippet to your Mule config file:

Next, you will need to encrypt your passwords using Jasypt command line tools. For example,  if your Mule application connects to the MySql database using password “dbpassword”, encrypt it using the following command:

Where MyEncryptionPassword is your encryption key.  This command will produce the following output:

Now create a properties file that will list your encrypted passwords and place it in your project src/main/resources directory, e.g. credentials.properties:

Note the ENC() around our encrypted password, this is a que for Jasypt that it is dealing with an encrypted value.

Add the name of this file to the list of locations in the propertyConfigurer bean. Now you can use the property name in your data source configuration:

Finally, create a system variable with the same name as the value of the passwordEnvName property in the first snippet, e.g. MULE_ENCRYPTION_PASSWORD and set its value to the encryption key used for the encrypting your password, e.g.:

Thats it. You can now encrypt all passwords or any other values and Mule can read them and it starts up.

 


We'd love to hear your opinion on this post


5 Responses to “Encrypting passwords in Mule”

  1. Can we able to decrypt the ENC(password) stored in property file? Is this secure ?

    Agree(0)Disagree(0)Comment
  2. @Areev: It is a password-based encryption and values are decrypted at the runtime – so technically yes, anyone with the password would be able to decrypt it. There’s no way around it.

    Agree(0)Disagree(0)Comment
  3. Let me say that in the Mule configuration XML the reference to the context:property-placeholder file must come AFTER the jasypt beans configuration above, otherwise at runtime mule will still have the ENC(…) values

    Agree(0)Disagree(0)Comment
  4. Also,
    in your classpath you have to add jasypt-spring3 jar file

    Agree(0)Disagree(0)Comment
  5. You still need to keep the master password in clear text, which kind of defeats the purpose:
    export MULE_ENCRYPTION_PASSWORD=MyEncryptionPassword
    Then your adversary need only “decrypt.sh … MyEncryptionPassword”

    Practically, it is better (and no less secure) to simply “bite the bullet” and
    1) keep your password file in clear text
    2) strictly limit file visibility (only owner can read)
    3) don’t check it in to version control
    And it makes it very easy for operations to quickly change the password using their favorite text editor rather than having to remember the special encrypt.sh command line usage.

    Agree(3)Disagree(0)Comment