Skip to content
| Marketplace
Sign in
Visual Studio Code>Other>MuleSoft Secure AES Encrypt / DecryptNew to Visual Studio Code? Get it now.
MuleSoft Secure AES Encrypt / Decrypt

MuleSoft Secure AES Encrypt / Decrypt

Ajay Kontham

|
49 installs
| (0) | Free
Encrypt and decrypt text using MuleSoft AES-256 / Secure Properties format. Also includes Base64 encoding and decoding tools.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

MuleSoft AES & Secure Properties Encrypt / Decrypt

License

A VS Code extension for encrypting and decrypting MuleSoft secure configuration properties without leaving your editor. All cryptography runs locally; keys and KeyIdentifier names are held only in VS Code's secret storage and are never transmitted.

The extension bundles three tools:

Tool Purpose
MuleSoft AES Encrypt / Decrypt Focused AES/CBC workflow matching MuleSoft's most common setup.
Secure Properties Encrypt / Decrypt Full generator parity: multiple algorithms, cipher modes, and random IVs.
Base64 Encode / Decode Quick text and file Base64 utility.

Feature Summary

Tool Algorithms Modes Random IV Editor integration
AES Encrypt / Decrypt AES-128 / AES-256 CBC No (derived IV) Toolbar, right-click, whole-file workflow (.yaml, .yml, .properties)
Secure Properties Encrypt / Decrypt AES, Blowfish, DES, DESede, RC2, RCA CBC, CFB, ECB, OFB Optional No (sidebar / palette)
Base64 Encode / Decode — — — No

The two encryption tools are independent screens. AES editor workflows are wired into YAML/properties files for in-place value updates and whole-file operations; the Secure Properties tool is launched from the sidebar or Command Palette. With its defaults (AES / CBC / no random IV), the Secure Properties tool produces output that is byte-for-byte identical to the AES tool, so the two are interchangeable for standard values.


A. MuleSoft AES Encrypt / Decrypt

The streamlined option for projects using MuleSoft's standard AES configuration.

  • MuleSoft compatible: AES-128-CBC or AES-256-CBC with PKCS5 padding.
  • Key-driven strength: a key of exactly 32 characters selects AES-256; any other key (including 16- or 24-character keys) uses AES-128. This tool only ever produces AES-128 or AES-256 — there is no AES-192 mode here. If you need true AES-192, use the Secure Properties tool instead (see below).
  • Derived IV: taken from the first 16 characters of the key, so encryption is deterministic — identical input always yields identical output.
  • Output format: ![base64EncodedString], ready to paste into MuleSoft config files.
  • Editor integration: a toolbar button appears automatically when editing .yaml, .yml, and .properties files.
  • Selection actions: select a value, right-click, and encrypt or decrypt it in place with a saved KeyIdentifier or one-off manual key.
  • Whole-file workflow: open the file workflow beside the editor to encrypt selected plain fields or decrypt every secure value in the active file. Select all / Clear buttons adjust the encrypt-mode selection, and a Refresh button re-scans the file for changes made outside the panel. Each field row shows its name, value (truncated past 120 characters), and full path with line number, and the KeyIdentifier dropdown shows a masked preview of the selected key — just like the main AES screen. A header button jumps back to the sidebar.
Property Value
Algorithm AES-128-CBC or AES-256-CBC
Block size 128 bits
Padding PKCS5
IV Derived from the first 16 characters of the key
Output encoding Base64, wrapped in ![ ... ]

B. Secure Properties Encrypt / Decrypt

A flexible, full-featured encryption tool for MuleSoft secure properties that goes beyond the standard AES/CBC workflow. Use it when your configuration requires a different algorithm (such as Blowfish, DES, DESede, RC2, or RCA), a cipher mode other than CBC (CFB, ECB, or OFB), or the option to generate random initialization vectors for stronger, non-deterministic encryption.

The interface follows the same clean layout as the AES tool, with an extra options row that lets you choose:

  • Algorithm — AES, Blowfish, DES, DESede, RC2, or RCA
  • State (Mode) — CBC, CFB, ECB, or OFB
  • Use Random IVs — on or off (disabled automatically for ECB and RCA, which do not use IVs)

All output is produced in MuleSoft's standard secure properties format (![base64String]). When random IVs are enabled, the IV is prepended to the ciphertext so the resulting token remains self-contained and portable. With its defaults (AES / CBC / derived IV), the tool produces byte-for-byte identical results to the dedicated AES screen, so the two can be used interchangeably for common cases.

Options

Control Type Choices Default
Algorithm dropdown AES, Blowfish, DES, DESede, RC2, RCA AES
State (Mode) dropdown CBC, CFB, ECB, OFB CBC
Use Random IVs checkbox on / off off

Supported algorithms

Every algorithm shares one blanket floor enforced by the UI: keys must be at least 16 characters, regardless of what the cipher itself needs. Some ciphers only actually consume a prefix of that key (noted below); the rest is simply ignored.

Algorithm Description IV size Key requirement
AES Advanced Encryption Standard (default) 16 bytes 16 / 24 / 32 chars → AES-128 / 192 / 256
Blowfish Bruce Schneier's block cipher 8 bytes ≥ 16 chars required by the UI (up to 56 bytes used)
DES Data Encryption Standard (legacy) 8 bytes ≥ 16 chars required by the UI (only first 8 bytes used)
DESede Triple DES (3DES) 8 bytes ≥ 24 chars
RC2 Rivest Cipher 2 8 bytes ≥ 16 chars
RCA RC4 / ARCFOUR stream cipher none ≥ 16 chars

Note: unlike the Secure Properties tool, the standalone AES Encrypt / Decrypt tool (section A) does not support AES-192 — a 24-character key there still resolves to AES-128, using only its first 16 bytes.

Cipher modes ("state")

Mode Name Uses an IV?
CBC Cipher Block Chaining (default) Yes
CFB Cipher Feedback Yes
ECB Electronic Codebook No
OFB Output Feedback Yes

Initialization Vectors

  • Derived IV (default): the IV is the first N characters of the key (N = the algorithm's IV size — 16 for AES, 8 for the others). Encryption is deterministic, matching the AES tool's behaviour.
  • Random IV (checkbox on): a cryptographically random IV is generated per encryption, prepended to the ciphertext before Base64 encoding, and read back automatically during decryption. Each run produces different ciphertext, which is generally more secure.

Adaptive controls

The options row prevents invalid combinations:

  • ECB uses no IV, so the Use Random IVs checkbox is disabled.
  • RCA (RC4) is a stream cipher with no mode and no IV, so both the State (Mode) dropdown and the Use Random IVs checkbox are disabled.

Runtime availability

Ciphers run through Node.js / OpenSSL as provided by the VS Code runtime:

  • Always available: AES (all modes) and DESede (all modes).
  • May require the OpenSSL "legacy" provider: Blowfish, DES, RC2, RCA (RC4).

If the runtime cannot provide a selected algorithm, the tool returns a clear, non-crashing error (for example, Cipher "bf-cbc" is not supported by this runtime) rather than failing silently. The full algorithm set is always offered for fidelity with the MuleSoft generator.

Output format

All output is wrapped in MuleSoft's secure properties format, ![base64String]. When random IVs are enabled, the IV bytes are included at the front of the payload (inside the wrapper), keeping the value a single self-contained token.


C. Base64 Encode / Decode

  • Encode plain text or files to Base64.
  • Decode Base64 strings back to plain text.
  • Drag and drop or browse for files; copy results to the clipboard.
  • In file mode, Decode reads from the output box (where the encoded Base64 was produced or pasted), not the file-drop input — paste or edit the Base64 string there before decoding.

Key Management

Both encryption tools draw from the same set of KeyIdentifiers, managed from the Settings screen in the sidebar.

  • Presets for common environments: DEV, FIT, UAT, PROD.
  • Custom KeyIdentifiers: add your own named keys.
  • Secure storage: keys live in VS Code's built-in secret storage and never leave the machine.
  • Visibility toggle: show or hide keys with partial masking.

Selecting a KeyIdentifier from the dropdown fills in (and masks) its key. Choosing Custom lets you type a one-off key. Changes saved in Settings refresh any open encryption panels automatically.

Once a KeyIdentifier is selected, the key field shows a masked preview and is locked to that value. Typing a character, pressing Backspace/Delete, or pasting into the field automatically switches the dropdown back to Custom and clears the field so you can enter a one-off key — you don't need to explicitly reselect "Custom" first.

Save a key from the encrypt screen

When you type a custom key, a save button (disk icon) appears between the show/hide toggle and the KeyIdentifier dropdown. Click it to open a dialog, enter a Key Identifier name, and save — the key is stored in secret storage and immediately added to the dropdown on both encryption screens. In the save dialog, press Enter to confirm or Esc to cancel.

Refresh keys

Each encryption screen has a refresh button in the top-right corner that reloads KeyIdentifiers from storage, so newly added keys appear without closing and reopening the panel.


Quick Start

Install

  1. Open VS Code and go to Extensions (Ctrl+Shift+X / Cmd+Shift+X).
  2. Search for MuleSoft AES and click Install.

Use

  1. Click the MuleSoft AES icon in the activity bar.
  2. Open Settings and configure your encryption keys.
  3. Pick a tool from the sidebar:
    • MuleSoft AES Encrypt / Decrypt for standard AES/CBC values.
    • Secure Properties Encrypt / Decrypt for other algorithms, modes, or random IVs.
  4. Enter your text, choose a KeyIdentifier (and, for Secure Properties, the algorithm/mode/IV settings), then click Encrypt or Decrypt.
  5. Use Copy to Clipboard to grab the result.

Use in a YAML or properties editor

  1. Open a .yaml, .yml, or .properties file.
  2. Select a value and right-click MuleSoft AES: Encrypt Selection or MuleSoft AES: Decrypt Selection to update only that selection.
  3. Or click the MuleSoft AES: Encrypt / Decrypt File button in the editor toolbar to open the whole-file workflow panel beside the editor.
  4. In the file workflow, choose a KeyIdentifier (its key shows masked, as on the main AES screen) or input a key manually. Encrypt mode lets you multi-select plain fields, with Select all / Clear buttons to adjust the selection and a Refresh button to re-scan the file; decrypt mode automatically targets all complete ![ ... ] secure values. Each field row lists its name on the left and its value (truncated past 120 characters) plus full path/line number on the right. An icon button in the panel header jumps back to the sidebar.

Usage Examples

Encrypt a selected database password

  1. Open application.yaml.
  2. Select myDatabasePassword, right-click, and choose MuleSoft AES: Encrypt Selection.
  3. Select KeyIdentifier PROD, or input the key manually.
  4. The selected value is replaced in place:
    db:
      password: ! [EncryptedValueHere]
    

Encrypt multiple values in a file

  1. Open application.yaml or application.properties.
  2. Click MuleSoft AES: Encrypt / Decrypt File in the editor toolbar.
  3. Keep Encrypt selected, choose a KeyIdentifier or input a key, and select the fields you want to encrypt.
  4. Click Encrypt selected values to apply all replacements in one edit.

Decrypt all secure values in a file

  1. Open the file workflow beside a YAML or properties editor.
  2. Switch to Decrypt.
  3. Choose the same KeyIdentifier or manual key used for encryption.
  4. Click Decrypt all secure values to replace every detected ![ ... ] value in one edit.

Encrypt with a non-default algorithm (Secure Properties tool)

  1. Open Secure Properties Encrypt / Decrypt from the sidebar.
  2. Choose an algorithm/mode (for example, AES / CBC) and, optionally, check Use Random IVs.
  3. Select a KeyIdentifier or type a custom key, enter your secret, and click Encrypt. With random IVs on, encrypting the same value twice yields two different tokens that both decrypt to the original.

Decrypt an existing value

  1. Paste the ![ ... ] value into Input Text.
  2. Select the same KeyIdentifier used to encrypt.
  3. In the Secure Properties tool, also match the algorithm, mode, and Use Random IVs setting that produced the value.
  4. Click Decrypt.

Commands

Command Title Where
aes.encryptDecrypt MuleSoft AES Encrypt / Decrypt Sidebar, palette
aes.encryptSelection MuleSoft AES: Encrypt Selection Editor context menu, palette
aes.decryptSelection MuleSoft AES: Decrypt Selection Editor context menu, palette
aes.fileEncryptDecrypt MuleSoft AES: Encrypt / Decrypt File Editor toolbar, palette
aesEnhanced.encryptDecrypt MuleSoft Secure Properties Encrypt / Decrypt Sidebar, palette
base64.encodeDecode Base64 Encode / Decode Sidebar, palette
aes.openSettings MuleSoft AES: Settings Sidebar

aes.fileEncryptDecrypt is the only editor-toolbar entry. It appears for .yaml, .yml, and .properties files and opens the whole-file workflow panel beside the editor. aes.encryptSelection and aes.decryptSelection appear only in the editor context menu, and only when text is selected in those same file types — there is no separate "selection actions" toolbar command. The Secure Properties tool has no editor toolbar button or context menu entry by design; open it from the sidebar or Command Palette.


Security

  • Keys are stored in VS Code's secure storage, which maps to the OS keychain: Windows Credential Manager, macOS Keychain, or pass / secretservice on Linux.
  • All encryption and decryption happens locally. No keys or data are sent over the network, and there are no external API calls.
  • Keys are partially masked in the UI.

Best practices

  1. Use strong keys — 32 characters is recommended and unlocks AES-256.
  2. Prefer random IVs for new secrets where your MuleSoft runtime supports them.
  3. Rotate keys periodically in production.
  4. Use different keys per environment (DEV / FIT / UAT / PROD).
  5. Avoid legacy algorithms (DES, RC2, RC4) for new data; they exist for compatibility with existing values only.

Requirements

  • VS Code: 1.105.0 or higher
  • Node.js: v18+ (development only)
  • Disk space: < 5 MB

Troubleshooting

Selecting Blowfish / DES / RC2 / RCA returns a "not supported by this runtime" error. These legacy algorithms depend on the OpenSSL "legacy" provider, which may not be enabled in your VS Code runtime. AES and DESede always work; use AES for new secrets.

Decrypted output is garbage or decryption fails. Ensure every setting matches the values used to encrypt — the key / KeyIdentifier and, in the Secure Properties tool, the algorithm, mode, and Use Random IVs option.

The same input gives a different encrypted value each time. That is expected when Use Random IVs is checked; uncheck it for deterministic output.

An encryption key is not saving. Confirm VS Code can access secret storage, then restart VS Code.

The AES editor buttons do not appear. They only show for .yaml, .yml, and .properties files. The Secure Properties tool has no editor button by design — open it from the sidebar.

No fields appear in the file workflow. Encrypt mode lists plain scalar values that are not already wrapped in ![ ... ]. Decrypt mode lists complete secure values only.


Contributing

Contributions are welcome. Please submit issues and enhancement requests through the repository.

License

Licensed under the MIT License.

Links

  • Repository: framedparadox/mulesoft-aes-vscode
  • Issues: Report a bug
  • Changelog: CHANGELOG.md
  • MuleSoft docs: Secure Configuration Properties
  • Reference tool: Secure Properties generator
  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft