We are using the SFTP connector for Mule 4. For a SFTP connection we authenticate with an identity file company.key and a passphrase.
The private (company.key) and public (company.pub) key were generated for us in another IT department.
I hesitate to put the company.key file into src/main/resources and reference it from the config.yaml by just the file path and putting it into version control.
Are private keys to be kept out of version control?
An answer on the MuleSoft forum advices exactly this.
I would much rather try to store the key on the Anypoint Platform either in the Trust Store or as Secret for the specific API, but I do not know how.
What is the secure way to store identity files?
Private key/secret files should be kept out of version control, no questions about that. Public keys (like TLS public certificates) are not secret and can be freely shared.
If you control the host server you can put the files in a directory of the server outside the application and Mule installation directories. Secure the directory by using operating system permissions so only the user used by the Mule process can read it. Point to the right file using properties so it is configurable.
If you are deploying to a managed environment, like CloudHub or Anypoint Runtime Fabric you don't have the option to use a server directory and you have to package the files with the application. That doesn't mean that you have to put them in version control. You can configure your version control software to ignore the files and add steps to the build process to include them at build time. For development they could be on your development environment. For production builds you could incorporate the files in a CI server, outside developer control.
There is no place in Anypoint Platform to store these SSH key files. Note that for TLS certificates you could use Secrets Manager but only for some very specific use cases, and not for generic HTTPS Mule applications in CloudHub. But TLS certificates are completely different than SSH key files.