How to Securely Store MySQL Passwords or Enable Passwordless Authentication for CLI


1 views

When working frequently with MySQL CLI, typing passwords repeatedly becomes tedious and potentially insecure. Let's explore professional approaches to streamline authentication while maintaining security.

The safest method is storing credentials in .my.cnf:

[client]
user = your_username
password = your_password
host = localhost

Set strict permissions:

chmod 600 ~/.my.cnf

For temporary sessions:

export MYSQL_PWD='your_password'
mysql -u username

Remember to unset afterward:

unset MYSQL_PWD

MySQL 5.6+ offers encrypted credential storage:

mysql_config_editor set --login-path=dev --host=localhost --user=username --password

Then connect simply with:

mysql --login-path=dev

For remote servers, combine SSH keys with MySQL:

ssh -f -L 3306:localhost:3306 user@remote.server.com -N
mysql -h 127.0.0.1 -u username
  • Never store passwords in scripts or version control
  • Use mysql_config_editor for encrypted storage when available
  • Regularly rotate credentials stored in configuration files
  • Consider IP whitelisting for passwordless auth from specific hosts

For production systems, configure MySQL SSL authentication:

[client]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/client-cert.pem
ssl-key=/path/to/client-key.pem

Then connect with:

mysql --ssl-mode=REQUIRED -u username

When working frequently with MySQL command line client, repeatedly entering credentials becomes tedious. There are several secure approaches to streamline authentication while maintaining security:

The most common solution is creating a configuration file in your home directory:


[client]
user = your_username
password = your_password
host = localhost

Security Note: Set strict permissions (600) on this file:


chmod 600 ~/.my.cnf

MySQL provides a secure way to store credentials using mysql_config_editor:


mysql_config_editor set --login-path=client --host=localhost --user=your_user --password

This creates encrypted credentials in .mylogin.cnf which can be accessed by:


mysql --login-path=client

For remote servers, consider SSH key-based authentication:


ssh -f -L 3306:localhost:3306 user@remotehost -N
mysql -h 127.0.0.1 -u mysql_user -p

Always follow these security best practices:

  • Never store passwords in scripts or environment variables
  • Use strong file permissions (600 for config files)
  • Consider using MySQL's native password manager for better security
  • Regularly rotate credentials stored in config files

MySQL 8.0+ supports more secure authentication methods:


CREATE USER 'app_user'@'localhost' IDENTIFIED WITH auth_socket;

This allows OS-level authentication without password storage.

Remember that while these methods improve convenience, they should be implemented with proper security considerations based on your environment's requirements.