The MySQL 8.0 Secure Deployment Guide documents procedures for deploying a Linux-generic binary distribution of MySQL Enterprise Edition Server with features for implementing and managing the security of your MySQL installation. The deployment is performed on Oracle Linux.
The deployment is specific to MySQL Enterprise Edition. Features required by the deployment, such as MySQL Enterprise Audit, MySQL Enterprise Firewall, and auto-generation of SSL certificates and keys, are only available with MySQL Enterprise Edition.
Deployment of the MySQL Enterprise Transparent Data Encryption (TDE) feature, which protects critical data by enabling data-at-rest encryption, is not covered in this guide. For more information, see Appendix A, Transparent Data Encryption (TDE) and MySQL Keyring.
Enabling FIPS (Federal Information Processing Standards) mode, which imposes conditions on cryptographic operations such as restrictions on acceptable encryption algorithms or requirements for longer key lengths, is not covered in this guide. For more information, see Appendix C, FIPS Support.
Enabling the MySQL Enterprise Data Masking and De-Identification extension, which can be used to mask sensitive data, is not covered in this guide. For more information, see Appendix B, Data Masking and De-Identification.
The deployment of other MySQL products such as MySQL Workbench, MySQL NDB Cluster, MySQL Shell, and MySQL Connectors is not covered in this guide.
This guide adheres to the following principles which form the basis of a secure MySQL deployment:
Always use the latest MySQL release, which has the latest security features and patches.
Always practice the principle of least privilege, which requires that users, processes, programs, and other system components only have access to information and resources that are required for their legitimate purpose.
A secure deployment also requires implementation of security policies that protect the entire server host (not just the MySQL server) against all types of applicable attacks. Such polices include but are not limited to using a firewall, securing operating system access, and employing enhanced security modules such as SELinux and AppArmour. These types of server host security measures are not covered in this guide.
For more information about security topics related to MySQL server and related applications, see Security.