Subkey in PGP Encryption


We can use vendor provided PGP public key to do encryption and send the encrypted data/files to vendor. Once they receive it then they can use their Private Key to decrypt. Vendor can share their public key either in asc (Text) or gpg (Binary) extension. Most of the time Vendor’s public key hold both Certify, Sign and Encrypt key and then we have to use the appropriate Subkey. Let’s see how we can use Subkey in PGP Encryption.

When we use fingerprint of the public key then it will use default primary subkey.

We can check subkeys in provided public key, right click on the key and click details

Subkey in PGP Encryption


Click on More Details…

Subkey in PGP Encryption


We can see both SubkeysCertify and Encrypt, where Certify is the primary key

Subkey in PGP Encryption


To choose only Encrypt subkey we have to copy the ID of specific subkey – 83FDFC091D283082

Sometime Vendor use DSA algorithm for Certify, Sign and Elgamal for Encryption and if we use fingerprint then it will pick the DSA Subkey (which is primary) and this can lead to below error

Message : Can’t use DSA for encryption.


Element : mule-Flow/processors/1 @ mule:mule.xml:30 (Pgp encrypt)

Element XML : <crypto:pgp-encrypt doc:name=”Pgp encrypt” doc:id=”xxxxxxxx” config-ref=”Crypto_Pgp” keyId=”zzzzzz”></crypto:pgp-encrypt>


So in this case correct Subkey should be used instead of fingerprint.

We can see below such example – Public key which use DSA algorithm for Certify, Sign and Elgamal for Encryption

Subkey in PGP Encryption


So let’s start with PGP Encryption – We need two things to encrypt in MuleSoft

  • Public Key in gpg format
  • Fingerprint – Subkey ID which we want to use

For this POC we will use Public key we created in our earlier Tutorial – Generate Private Public PGP key

Let’s create a project in MuleSoft


Add the Crypto connector in Mule Palette – Checkout this tutorial on how to add module in Anypoint studio – Add Module In Anypoint Studio

Drag and drop PGP encrypt and Logger into the flow

Add Public_4232E6BD7151FF89D9F755807AC70C45987C59AA.gpg – PGP public key in resources


Click on PGP encrypt connector and click on add configuration


Populate Public keyring with Public key name we place in resources

  • Click Add symbol to add fingerprint detail
  • Add Key id and Subkey as Fingerprint

Click Finish


Add the same Key Id in Key Selection Box


In logger we will capture the encrypted payload


Now run the application and test the endpoint in SOAP UI


We can see the encrypted details in response

We can cross check the encrypted message online –


PGP MuleSoft application – pgp-sample-service

PGP SOAP UI application – PGP-Sample-soapui-project

Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.

Share this:
Notify of
Inline Feedbacks
View all comments