Mule Secure Properties

A VS Code extension to encrypt and decrypt MuleSoft Secure Configuration Properties directly in your editor — byte-for-byte compatible with MuleSoft's own runtime and secure-properties-tool.

Compatibility isn't assumed: the cipher core is a faithful port of MuleSoft's JCEEncrypter, and the test suite verifies it against ground-truth vectors generated from MuleSoft's actual runtime jars (see Compatibility & verification).

Features

• Encrypt / decrypt panel — pick algorithm and mode, supply a key, toggle random IV, and get the result (optionally wrapped as ![...]).
• Editor integration — select a value in a .yaml or .properties file, right-click, and encrypt or decrypt it in place.
• Key store — save named keys (e.g. DEV, UAT, PROD) in VS Code's SecretStorage; keys are stored locally and never leave your machine.
• Base64 utility — quick encode/decode.
• All MuleSoft-compatible symmetric algorithms — see the table below.

Supported algorithms and modes

Both fixed IV (MuleSoft default) and random IV (--use-random-iv, prepended to the ciphertext) are supported.

* OpenSSL legacy provider. Blowfish, DES, DESede and RC2 are legacy ciphers in OpenSSL 3. If the VS Code runtime doesn't load the legacy provider, these algorithms produce a clear error message; AES always works. (The test runner loads the legacy provider, so all algorithms are verified in CI.)

The key must be the exact byte length for the algorithm — MuleSoft uses the raw key bytes unchanged (no truncation or padding). For AES the byte length selects the variant: 16 → AES‑128, 24 → AES‑192, 32 → AES‑256.

Usage

Panel

1. Open the Mule Secure Properties view from the activity bar (lock icon).
2. Choose an algorithm and mode, enter a key (or pick a saved one), set the options, and click Encrypt or Decrypt.
3. Encrypted output can be wrapped as ![...] for direct use in a Mule config.

In a config file

Select a value in a .yaml or .properties file, right‑click, and choose Mule: Encrypt Selection or Mule: Decrypt Selection. You'll be prompted for algorithm, mode, IV setting, and key; the selection is replaced in place.

db:
  password: "![rPj8C0sN1m2v...==]"

The ![...] wrapper is MuleSoft property syntax, not part of the ciphertext — it's added on encrypt and tolerated on decrypt.

Compatibility & verification

MuleSoft's secure properties encryption (reconstructed from the mule-secure-configuration-property-module / mule-encryption jars) works as follows, and this extension reproduces it exactly:

• Cipher transformation ‹ALGORITHM›/‹MODE›/PKCS5Padding.
• The key is the raw UTF‑8 bytes of the key string, used unmodified.
• ECB: no IV. Fixed IV (default): the IV is the first block-size bytes of the key. Random IV: a random IV is generated and prepended to the ciphertext on encrypt, and stripped on decrypt.
• Stream modes (CFB/OFB) are PKCS‑padded to match the Java implementation.

tools/GenVectors.java runs MuleSoft's real classes to emit test/vectors/vectors.json; the unit tests then reproduce every vector byte‑for‑byte (fixed IV) or recover the plaintext (random IV). 56 vectors span all supported algorithms × modes × IV settings.

Development

npm install
npm run test:unit    # Vitest — crypto core + MuleSoft vector parity
npm run typecheck    # tsc --noEmit
npm run build        # esbuild -> dist/extension.js

Press F5 in VS Code to launch the Extension Development Host and try it live.

Regenerating the ground-truth vectors (requires a JDK and MuleSoft's jars; see tools/gen-vectors.ps1):

npm run gen:vectors

Security

• Keys are stored in VS Code SecretStorage and never transmitted anywhere.
• All encryption and decryption runs locally in the extension host.

Disclaimer

This is an independent, unofficial tool and is not affiliated with or endorsed by MuleSoft or Salesforce. "MuleSoft" is a trademark of its respective owner.

License

MIT