Securely Using Passwords In Server Side MySQL Scripts

Today I did some administrative maintenance for the Mumble VoIP project. I fixed the MySQL server installation on our forums server.

MySQL has multiple binaries for different use cases. The ones of importance for this post are mysqld, mysql_upgrade and mysqldump.

Securely Using Passwords in Server Side MySQL Scripts

Ubuntu stores the login data, most importantly the password, for the root account of the MySQL server in /etc/mysql/debian.cnf.

This configuration file is used for dpkg/apt package installations and upgrades when the post-installation package configuration has to run queries on the MySQL server.

The .cnf MySQL configuration file is an ini-style syntax and has sections for the respective mysql (client) binaries like mysql, mysqldump, mysql_upgrade.

The mysql_upgrade program is used to upgrade the server database after the package installation has been updated. When this automatic step fails, the mysql_upgrade program can be executed manually as well to check for and execute data upgrade migrations.

mysql is the standard client.

The file debian.cnf is a good example of how to securely specify login credentials without exposing it to the shell and potential logging of commands.

With mysqldump

For a given Linux user account you can create a file ~/.my.cnf with a configuration section for mysqldump and specify the adequate login and password for your backup scripts running under that (system) account.


When the backup script/cronjob runs mysqldump will default to using this login information.

With adequate, restrictive file permissions on ~/.my.cnf this is the recommended, secure way to store your passwords for automation.

Official Documentation