Mysqldump: [Warning] Using a password on the command line interface can be insecure

Can you do a video on this? How to make a script that back ups the database so just links to a encrypted password some how like in /etc/shadow. So you don’t have to have the database password right in the script.

Looked for videos and looks like no one made one yet.

So it will be good for you to do this if you know how?

-Raymond Day

I may do a video on this, I haven’t decided. And I agree, it’s insecure to have plain text passwords showing up in the command history. But also keep in mind, in order for someone to view the history and grab the plain-text password, they would have to leverage another vulnerability to give them access to your system first, so by the time they get to your password they’re already in your system. And if you have someone already in your system, security in all forms goes out the window.

Having plain-text passwords in scripts is a more serious issue if the file containing the password is world-readable, or worse, in a publicly shared storage volume. But no matter what, you shouldn’t have plain text passwords anywhere, as that is more of a best-practice thing.

I’ll consider a video on it, but no promises (yet).


1 Like

Command line ones can show up in ps output too…

This is the recommended way (a lot like how we store SMB credentials):


1 Like

A couple of additional options using vaults (dynamic, static, ephemeral) :

Azure, AWS, OCI all offer hybrib on-prim / cloud KMS vaults. The benefit of HashiCorp is, you can spin up your own VM / Container Service locally (on-prim, homelab, hybrid, whatever).

  • MySQL Workbench and Vault

  • Managing secrets with Vault

  • HashiCorp Vault (dynamic)
  • Another example using HC Vault
  • Secrets using Vault (static)
  • OCI Vault