Skip to main content

How to encrypt/decrypt messages in Mule with a JCE strategy

The Mule cryptography module provides the capability to encrypt/decrypt and sign the messages using asymmetric and symmetric keys and it supports PGP, JCE (Java Cryptography Extension) and XML strategies to encrypt messages. Of these, JCE is the lighter load cryptography module.

This blog discusses the key-based JCE strategy and the key features of the JCE Cryptography module which include:

  • Symmetric encryption/decryption of messages
  • Asymmetric encryption/decryption of messages
  • Sign and validate a message


  • Knowledge of key store, asymmetric vs symmetric keys and encryption/decryption.
  • Should have a key store which consists of asymmetric and symmetric keys.

Configure the JCE Cryptography module:

A key store needs to be provided along with the different types of keys in order to configure an JCE configuration module. In the example below we have configured a key store which consists of one symmetric key using an AES algorithm and one asymmetric key using an RSA algorithm.

JCE Config

Symmetric Encryption/Decryption:

Symmetric encryption uses only one secret key to encrypt or decrypt the message. The sender uses the secret key to encrypt the message and the receiver should use the same secret key to decrypt it. As it involves the exchange of the same key between the parties, it is not the most secure to use, especially when the data is flowing through the internet via a non-secure channel. The diagram below shows the message encryption and decryption using the same symmetric key:

Symmetric key

To encrypt the message in Mule using JCE, use the JCE encryption component as shown in the below diagram.

Symmetric encryption flow

Once the message is encrypted, it is converted into a Base64 string format and that format is printed and returned to the caller as a response.

To decrypt the message using JCE cryptography, convert the Base64 string into binary and use the JCE decrypt component to decrypt it as shown in the diagram below.

Symmetric decryption flow

Asymmetric Encryption/Decryption:

Asymmetric encryption/decryption is the most used cryptography method on the internet. Asymmetric cryptography requires a public/private key to encrypt and decrypt the data. The sender uses the public key to encrypt the data, whereas the receiver should use the private key to decrypt the data. The private keys will not be exchanged over internet and hence it is the most secure way to do the encryption and decryption of messages. The diagram below provides the idea on how Asymmetric keys will be used in cryptography.

Asymmetric Key


The Mule JCE encrypt/decrypt component allows you to configure the key ID and algorithm in order to encrypt/decrypt the payload. To use the asymmetric keys, the key ID and algorithm must be specified in the JCE cryptography configuration module as shown in the image below.

Asymmetric component

Sign and validate a message:

Signing the already encrypted message would add the additional layer of security to messages sent over the internet. Mule’s JCE cryptography module allows you to sign and validate a message. The basic flow involves the following steps:

  1. Encrypt the payload using the asymmetric key;
  2. Add signature to the encrypted payload using the asymmetric key;
  3. Validate the encrypted payload with signature payload using the asymmetric key;
  4. Decrypt the payload using asymmetric key.
Signature flow

Final thoughts

We selected JCE encryption/decryption for this blog as it is faster. PGP can be heavy and involves many steps to encrypt and decrypt messages. XML is also heavy and is becoming legacy. At the end though, it’s the use case at hand that will determine which strategy is more suitable.

If you would like to find out more about Anypoint Platform and the Mule Cryptography Module we can help. Give us a call or email us at

Other useful links:

How APIs can modernise legacy systems

Mule 4 Migration Accelerator

API Recipes with MuleSoft Anypoint Platform

Let’s engage