Mule SFTP and PGP Encryption





April 4
blog author


Senior Mulesoft Developer

Many companies use standard protocols such as FTP and SFTP to transfer files to external partners and receive files from external partners. Using FTP and SFTP provides a simple to use and low cost platform for file exchange. In some business scenarios, companies may have to exchange sensitive information such as employee’s personal information, expense reports, payment information etc.

MuleSoft has the ability to encrypt a message payload, or part of a payload, using Pretty Good Privacy (PGP). PGP combines data compression and data encryption to secure messages. The compression reduces message transmission time between origin and destination. There are two scenarios that this post addresses:

  • Using another party’s public key to encrypt a messages in a MuleSoft application
  • Using one’s own set of private and public keys so as to accept, and decrypt messages in a MuleSoft application

What is Pretty Good Privacy (PGP)?

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann created it in 1991.

MuleSoft SFTP Connector:

The SFTP Connector implements a secure file transport channel so that the Mule application can exchange files with external resources. We can implement the SFTP endpoint as an inbound endpoint with a one-way exchange pattern, or as an outbound endpoint configured for either a one-way or request-response exchange pattern.


Using MuleSoft Anypoint Platform, it's very easy to configure SFTP connections so that the Mule application can exchange files. MuleSoft also provides encryption and decryption capabilities. In this example, we're going to look at how to configure SFTP connector and use data encryption/decryption capabilities. In this example, we will build MuleSoft Application to:

  • Read data file from SFTP location
  • Encrypt file data
  • Write encrypted file contents to SFTP location
  • Read encrypted data file from SFTP location
  • Decrypt file data
  • Write decrypted file contents to SFTP location

I already have public and private key pair to use for this application. Refer to the following links for more details regarding PGP:


Let's begin creating simple MuleSoft Application to address these requirements.

Create Mule Application:

The first step is to create new MuleSoft Application using the wizard in Anypoint platform.


Configure PGP:

Once the project is created, we will now configure PGP. To configure, go to “Global Elements” section and create sprint beans.



You must have both public and private keys. You will have to configure the following properties:

  • secretKeyRingFileName : Provide private key file path.
  • publicKeyRingFileName : Provide public key file path.
  • secretAliasId : This is tricky. Initially provide value as “1” to this property. We will come back to this in few minutes.
  • secretPassphrase : Provide the passphrase which you have used while generating public/private key pair.
  • pgpCredentialAccessor : Provide the accessor name which is used to browse receiver’s public key ring.

Now create PgpCredentialAccessor class, which is a simple class that will provide the credentials the receiver used to generate the key.


Finally, the configuration will look something like this.


Create read-flow:

Now, we will build our first MuleSoft flow to read a file from SFTP location. SFTP_IN connector will read the file from the external location. After receiving the file, the flow uses MuleSoft’s encrypt-transformer to encrypt the file data and place the encrypted file in a different location. SFTP_ENCRYPTED connector is configured to place encrypted files to an external location. Our flow will look something like this:



Create write-flow:

Now, we will build another MuleSoft flow to write a file to SFTP location. SFTP_ENCRYPTED connector will read encrypted file from the external location. After receiving the file, the flow uses MuleSoft’s decrypt-transformer to decrypt the file data and place the decrypted file in a different location. SFTP_OUT connector is configured to place decrypted files to an external location. Our flow will look something like this:



Determine secretAliasKey:

We will try to run our Mule Application. You will notice that the application fails when you run. Remember we configured secretAliasKey value as “1” in step 2? This is the time to correct the value of secretAliasKey.

Note that, MuleSoft has logged possible key values in console logs. In most cases, second key value from the logs will work but it is recommended to try both the values.


Update PGP configuration with appropriate key value:

Now, let's update out PGP configuration with correct secretAliasKey value.


Now, we will try to run application again. This time you will see that the application started without any issues.


You can now place the file in “/IN/” directory. Our read-flow will pick the file from “/IN/” folder, encrypt file data and place encrypted file in “/ENCRYPTED/” folder.

Next, write-flow will pick encrypted file from “/ENCRYPTED/” directory, decrypt file data and place decrypted file in “/OUT/” directory.

Things to Remember:

  • If you are running JDK 1.4+ that comes with the Sun JCE by default, you must install the Unlimited Strength Jurisdiction Policy files.