These days most applications use some kind of database service to store data. Also, It’s important that this data is accessed securely. In that regard, this article focuses on MySQL database service and more specifically on the mysql_config_editor tool.

Scenario

The customer I work with has a Linux host (Ubuntu) hosting a large database server. He has also configured regular database backups to an external storage using mysqldump tool. Furthermore, he had scheduled a cron job to execute it periodically. Currently, the password is given in the command line which is a bad practice. Therefore, he is looking for a method to implement this more securely.

Solution

The solution I gave was to use the mysql_config_editor tool. It masks login details and stores in a file named .mylogin.cnf. Usually, this file is located in the user’s home directory. in addition, changes needed to existing process is small.

Configuration

Let’s assume below login details are being used to backup the database.

Host: db.example.org
User: foo
Pass: bar
Port: 3306

The command shown below will create a login path named localbackup. Once executed, It will prompt you to enter a password.

# mysql_config_editor set --login-path=localbackup --host=db.example.org --user=foo --password --port=3306

The command shown below will list the details related to the login path we just created.

# mysql_config_editor print --login-path=localbackup

Similarly, the command show below will list the all login paths configured for the current user.

# mysql_config_editor print --all

As an example, following command uses login path to backup a database.

# mysqldump --login-path=localbackup dbname > db.sql

Similarly, following command removes the login path we created.

mysql_config_editor remove --login-path=localbackup