How to Encrypt MySQL password using mysql_config_editor

Obscuring Authentication Options

Specifying a password on the command line in the form ‘mysql -u root -p password’ is not recommended. For convenience, you could put a password in a [client] option group, but the password is stored in plain text, easily visible to anyone with read access to the option file.

The mysql_config_editor utility enables you to store authentication credentials in an encrypted login file named .mylogin.cnf. The file location is the current user’s home directory on Linux and UNIX, and the %APPDATA%\MySQLdirectory on Windows. The file can be read later by MySQL client programs to obtain authentication credentials for connecting to MySQL Server. The encryption method is reversible, so you should not assume the credentials are secure against anyone with read privileges to the file. Rather, the feature makes it easier for you to avoid using plaintext credentials.

To specify an alternative file name than the default “.mylogin.cnf”, set the MYSQL_TEST_LOGIN_FILE environment variable. The unencrypted format of the .mylogin.cnflogin file consists of option groups, similar to other option files. Each option group in .mylogin.cnfis called a “login path”, which is a group that permits only a limited set of options: host, user, and password. Think of a login path as a set of values that indicate the server host and the credentials for authenticating with the server. Here is an example:

[admin]
user = root
password = oracle
host = 127.0.0.1

Login Paths

The .mylogin.cnf file contains login paths. They are similar to option groups. Each login path contains authentication information for a single identity. Clients refer to a login path with the –login-path command-line option:

mysql --login-path=admin

If you invoke mysql_config_editorwithout using the –login-path option, it uses the [client]login path. This login path is used by all standard clients by default. For example, the following command creates a [client] login path used by all standard clients:

shell> mysql_config_editor set --user=root --password
Enter password: oracle

Invoking a standard client with no further command-line arguments or option files causes it to read the [client] login path in the .mylogin.cnf file, along with [client] option groups in any option files. For example, the following output shows the result of invoking the mysql client with no options, having executed the preceding command:

shell> mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
...

- To create a login path:

mysql_config_editor set --login-path=[login-path] --user=[user] --password --host=[hostname]

- To view a single login path in clear text:

mysql_config_editor print --login-path=[login-path]

- To view all login paths in clear text:

mysql_config_editor print --all

- To remove a login path:

mysql_config_editor remove --login-path=[login-path]

The default login path name is client. It is read by all standard clients.