MuleSoft AES & Secure Properties Encrypt / Decrypt

A VS Code extension for encrypting and decrypting MuleSoft secure configuration
properties without leaving your editor. All cryptography runs locally; keys and
KeyIdentifier names are held only in VS Code's secret storage and are never
transmitted.
The extension bundles three tools:
| Tool |
Purpose |
| MuleSoft AES Encrypt / Decrypt |
Focused AES/CBC workflow matching MuleSoft's most common setup. |
| Secure Properties Encrypt / Decrypt |
Full generator parity: multiple algorithms, cipher modes, and random IVs. |
| Base64 Encode / Decode |
Quick text and file Base64 utility. |
Feature Summary
| Tool |
Algorithms |
Modes |
Random IV |
Editor integration |
| AES Encrypt / Decrypt |
AES-128 / AES-256 |
CBC |
No (derived IV) |
Toolbar, right-click, whole-file workflow (.yaml, .yml, .properties) |
| Secure Properties Encrypt / Decrypt |
AES, Blowfish, DES, DESede, RC2, RCA |
CBC, CFB, ECB, OFB |
Optional |
No (sidebar / palette) |
| Base64 Encode / Decode |
— |
— |
— |
No |
The two encryption tools are independent screens. AES editor workflows are wired
into YAML/properties files for in-place value updates and whole-file operations;
the Secure Properties tool is launched from the sidebar or Command Palette. With
its defaults (AES / CBC / no random IV), the Secure Properties tool produces
output that is byte-for-byte identical to the AES tool, so the two are
interchangeable for standard values.
A. MuleSoft AES Encrypt / Decrypt
The streamlined option for projects using MuleSoft's standard AES configuration.
- MuleSoft compatible: AES-128-CBC or AES-256-CBC with PKCS5 padding.
- Key-driven strength: a key of exactly 32 characters selects AES-256; any
other key (including 16- or 24-character keys) uses AES-128. This tool only
ever produces AES-128 or AES-256 — there is no AES-192 mode here. If you need
true AES-192, use the Secure Properties tool instead (see below).
- Derived IV: taken from the first 16 characters of the key, so encryption
is deterministic — identical input always yields identical output.
- Output format:
![base64EncodedString], ready to paste into MuleSoft
config files.
- Editor integration: a toolbar button appears automatically when editing
.yaml, .yml, and .properties files.
- Selection actions: select a value, right-click, and encrypt or decrypt it
in place with a saved KeyIdentifier or one-off manual key.
- Whole-file workflow: open the file workflow beside the editor to encrypt
selected plain fields or decrypt every secure value in the active file.
Select all / Clear buttons adjust the encrypt-mode selection, and a
Refresh button re-scans the file for changes made outside the panel. Each
field row shows its name, value (truncated past 120 characters), and full
path with line number, and the KeyIdentifier dropdown shows a masked preview
of the selected key — just like the main AES screen. A header button jumps
back to the sidebar.
| Property |
Value |
| Algorithm |
AES-128-CBC or AES-256-CBC |
| Block size |
128 bits |
| Padding |
PKCS5 |
| IV |
Derived from the first 16 characters of the key |
| Output encoding |
Base64, wrapped in ![ ... ] |
B. Secure Properties Encrypt / Decrypt
A flexible, full-featured encryption tool for MuleSoft secure properties that goes beyond the standard AES/CBC workflow. Use it when your configuration requires a different algorithm (such as Blowfish, DES, DESede, RC2, or RCA), a cipher mode other than CBC (CFB, ECB, or OFB), or the option to generate random initialization vectors for stronger, non-deterministic encryption.
The interface follows the same clean layout as the AES tool, with an extra options row that lets you choose:
- Algorithm — AES, Blowfish, DES, DESede, RC2, or RCA
- State (Mode) — CBC, CFB, ECB, or OFB
- Use Random IVs — on or off (disabled automatically for ECB and RCA, which do not use IVs)
All output is produced in MuleSoft's standard secure properties format (![base64String]). When random IVs are enabled, the IV is prepended to the ciphertext so the resulting token remains self-contained and portable. With its defaults (AES / CBC / derived IV), the tool produces byte-for-byte identical results to the dedicated AES screen, so the two can be used interchangeably for common cases.
Options
| Control |
Type |
Choices |
Default |
| Algorithm |
dropdown |
AES, Blowfish, DES, DESede, RC2, RCA |
AES |
| State (Mode) |
dropdown |
CBC, CFB, ECB, OFB |
CBC |
| Use Random IVs |
checkbox |
on / off |
off |
Supported algorithms
Every algorithm shares one blanket floor enforced by the UI: keys must be at
least 16 characters, regardless of what the cipher itself needs. Some
ciphers only actually consume a prefix of that key (noted below); the rest is
simply ignored.
| Algorithm |
Description |
IV size |
Key requirement |
| AES |
Advanced Encryption Standard (default) |
16 bytes |
16 / 24 / 32 chars → AES-128 / 192 / 256 |
| Blowfish |
Bruce Schneier's block cipher |
8 bytes |
≥ 16 chars required by the UI (up to 56 bytes used) |
| DES |
Data Encryption Standard (legacy) |
8 bytes |
≥ 16 chars required by the UI (only first 8 bytes used) |
| DESede |
Triple DES (3DES) |
8 bytes |
≥ 24 chars |
| RC2 |
Rivest Cipher 2 |
8 bytes |
≥ 16 chars |
| RCA |
RC4 / ARCFOUR stream cipher |
none |
≥ 16 chars |
Note: unlike the Secure Properties tool, the standalone AES Encrypt /
Decrypt tool (section A) does not support AES-192 — a 24-character key there
still resolves to AES-128, using only its first 16 bytes.
Cipher modes ("state")
| Mode |
Name |
Uses an IV? |
| CBC |
Cipher Block Chaining (default) |
Yes |
| CFB |
Cipher Feedback |
Yes |
| ECB |
Electronic Codebook |
No |
| OFB |
Output Feedback |
Yes |
Initialization Vectors
- Derived IV (default): the IV is the first N characters of the key (
N =
the algorithm's IV size — 16 for AES, 8 for the others). Encryption is
deterministic, matching the AES tool's behaviour.
- Random IV (checkbox on): a cryptographically random IV is generated per
encryption, prepended to the ciphertext before Base64 encoding, and read back
automatically during decryption. Each run produces different ciphertext, which
is generally more secure.
Adaptive controls
The options row prevents invalid combinations:
- ECB uses no IV, so the Use Random IVs checkbox is disabled.
- RCA (RC4) is a stream cipher with no mode and no IV, so both the State
(Mode) dropdown and the Use Random IVs checkbox are disabled.
Runtime availability
Ciphers run through Node.js / OpenSSL as provided by the VS Code runtime:
- Always available: AES (all modes) and DESede (all modes).
- May require the OpenSSL "legacy" provider: Blowfish, DES, RC2, RCA (RC4).
If the runtime cannot provide a selected algorithm, the tool returns a clear,
non-crashing error (for example, Cipher "bf-cbc" is not supported by this runtime) rather than failing silently. The full algorithm set is always offered
for fidelity with the MuleSoft generator.
All output is wrapped in MuleSoft's secure properties format, ![base64String].
When random IVs are enabled, the IV bytes are included at the front of the
payload (inside the wrapper), keeping the value a single self-contained token.
C. Base64 Encode / Decode
- Encode plain text or files to Base64.
- Decode Base64 strings back to plain text.
- Drag and drop or browse for files; copy results to the clipboard.
- In file mode, Decode reads from the output box (where the encoded
Base64 was produced or pasted), not the file-drop input — paste or edit the
Base64 string there before decoding.
Key Management
Both encryption tools draw from the same set of KeyIdentifiers, managed from
the Settings screen in the sidebar.
- Presets for common environments: DEV, FIT, UAT, PROD.
- Custom KeyIdentifiers: add your own named keys.
- Secure storage: keys live in VS Code's built-in secret storage and never
leave the machine.
- Visibility toggle: show or hide keys with partial masking.
Selecting a KeyIdentifier from the dropdown fills in (and masks) its key.
Choosing Custom lets you type a one-off key. Changes saved in Settings
refresh any open encryption panels automatically.
Once a KeyIdentifier is selected, the key field shows a masked preview and is
locked to that value. Typing a character, pressing Backspace/Delete, or
pasting into the field automatically switches the dropdown back to Custom
and clears the field so you can enter a one-off key — you don't need to
explicitly reselect "Custom" first.
Save a key from the encrypt screen
When you type a custom key, a save button (disk icon) appears between the
show/hide toggle and the KeyIdentifier dropdown. Click it to open a dialog,
enter a Key Identifier name, and save — the key is stored in secret storage
and immediately added to the dropdown on both encryption screens. In the save
dialog, press Enter to confirm or Esc to cancel.
Refresh keys
Each encryption screen has a refresh button in the top-right corner that
reloads KeyIdentifiers from storage, so newly added keys appear without closing
and reopening the panel.
Quick Start
Install
- Open VS Code and go to Extensions (
Ctrl+Shift+X / Cmd+Shift+X).
- Search for MuleSoft AES and click Install.
Use
- Click the MuleSoft AES icon in the activity bar.
- Open Settings and configure your encryption keys.
- Pick a tool from the sidebar:
- MuleSoft AES Encrypt / Decrypt for standard AES/CBC values.
- Secure Properties Encrypt / Decrypt for other algorithms, modes, or
random IVs.
- Enter your text, choose a KeyIdentifier (and, for Secure Properties, the
algorithm/mode/IV settings), then click Encrypt or Decrypt.
- Use Copy to Clipboard to grab the result.
Use in a YAML or properties editor
- Open a
.yaml, .yml, or .properties file.
- Select a value and right-click MuleSoft AES: Encrypt Selection or
MuleSoft AES: Decrypt Selection to update only that selection.
- Or click the MuleSoft AES: Encrypt / Decrypt File button in the editor
toolbar to open the whole-file workflow panel beside the editor.
- In the file workflow, choose a KeyIdentifier (its key shows masked, as on
the main AES screen) or input a key manually. Encrypt mode lets you
multi-select plain fields, with Select all / Clear buttons to adjust
the selection and a Refresh button to re-scan the file; decrypt mode
automatically targets all complete
![ ... ] secure values. Each field row
lists its name on the left and its value (truncated past 120 characters)
plus full path/line number on the right. An icon button in the panel header
jumps back to the sidebar.
Usage Examples
Encrypt a selected database password
- Open
application.yaml.
- Select
myDatabasePassword, right-click, and choose
MuleSoft AES: Encrypt Selection.
- Select KeyIdentifier
PROD, or input the key manually.
- The selected value is replaced in place:
db:
password: ! [EncryptedValueHere]
Encrypt multiple values in a file
- Open
application.yaml or application.properties.
- Click MuleSoft AES: Encrypt / Decrypt File in the editor toolbar.
- Keep Encrypt selected, choose a KeyIdentifier or input a key, and select
the fields you want to encrypt.
- Click Encrypt selected values to apply all replacements in one edit.
Decrypt all secure values in a file
- Open the file workflow beside a YAML or properties editor.
- Switch to Decrypt.
- Choose the same KeyIdentifier or manual key used for encryption.
- Click Decrypt all secure values to replace every detected
![ ... ]
value in one edit.
Encrypt with a non-default algorithm (Secure Properties tool)
- Open Secure Properties Encrypt / Decrypt from the sidebar.
- Choose an algorithm/mode (for example, AES / CBC) and, optionally, check
Use Random IVs.
- Select a KeyIdentifier or type a custom key, enter your secret, and click
Encrypt. With random IVs on, encrypting the same value twice yields two
different tokens that both decrypt to the original.
Decrypt an existing value
- Paste the
![ ... ] value into Input Text.
- Select the same KeyIdentifier used to encrypt.
- In the Secure Properties tool, also match the algorithm, mode, and Use
Random IVs setting that produced the value.
- Click Decrypt.
Commands
| Command |
Title |
Where |
aes.encryptDecrypt |
MuleSoft AES Encrypt / Decrypt |
Sidebar, palette |
aes.encryptSelection |
MuleSoft AES: Encrypt Selection |
Editor context menu, palette |
aes.decryptSelection |
MuleSoft AES: Decrypt Selection |
Editor context menu, palette |
aes.fileEncryptDecrypt |
MuleSoft AES: Encrypt / Decrypt File |
Editor toolbar, palette |
aesEnhanced.encryptDecrypt |
MuleSoft Secure Properties Encrypt / Decrypt |
Sidebar, palette |
base64.encodeDecode |
Base64 Encode / Decode |
Sidebar, palette |
aes.openSettings |
MuleSoft AES: Settings |
Sidebar |
aes.fileEncryptDecrypt is the only editor-toolbar entry. It appears for
.yaml, .yml, and .properties files and opens the whole-file workflow panel
beside the editor. aes.encryptSelection and aes.decryptSelection appear only
in the editor context menu, and only when text is selected in those same file
types — there is no separate "selection actions" toolbar command. The Secure
Properties tool has no editor toolbar button or context menu entry by design;
open it from the sidebar or Command Palette.
Security
- Keys are stored in VS Code's secure storage, which maps to the OS keychain:
Windows Credential Manager, macOS Keychain, or
pass / secretservice on
Linux.
- All encryption and decryption happens locally. No keys or data are sent over
the network, and there are no external API calls.
- Keys are partially masked in the UI.
Best practices
- Use strong keys — 32 characters is recommended and unlocks AES-256.
- Prefer random IVs for new secrets where your MuleSoft runtime supports them.
- Rotate keys periodically in production.
- Use different keys per environment (DEV / FIT / UAT / PROD).
- Avoid legacy algorithms (DES, RC2, RC4) for new data; they exist for
compatibility with existing values only.
Requirements
- VS Code: 1.105.0 or higher
- Node.js: v18+ (development only)
- Disk space: < 5 MB
Troubleshooting
Selecting Blowfish / DES / RC2 / RCA returns a "not supported by this runtime"
error. These legacy algorithms depend on the OpenSSL "legacy" provider, which
may not be enabled in your VS Code runtime. AES and DESede always work; use AES
for new secrets.
Decrypted output is garbage or decryption fails. Ensure every setting
matches the values used to encrypt — the key / KeyIdentifier and, in the Secure
Properties tool, the algorithm, mode, and Use Random IVs option.
The same input gives a different encrypted value each time. That is expected
when Use Random IVs is checked; uncheck it for deterministic output.
An encryption key is not saving. Confirm VS Code can access secret storage,
then restart VS Code.
The AES editor buttons do not appear. They only show for .yaml, .yml,
and .properties files. The Secure Properties tool has no editor button by
design — open it from the sidebar.
No fields appear in the file workflow. Encrypt mode lists plain scalar
values that are not already wrapped in ![ ... ]. Decrypt mode lists complete
secure values only.
Contributing
Contributions are welcome. Please submit issues and enhancement requests through
the repository.
License
Licensed under the MIT License.
Links