Security in MySQL  /  ...  /  Initializing the Data Directory Manually

3.1.1 Initializing the Data Directory Manually

This section describes how to initialize the data directory manually. These instructions are for use with MySQL installations for which data directory initialization is not automatic.


The data directory initialization sequence performed by the server does not substitute for the actions performed by mysql_secure_installation and mysql_ssl_rsa_setup. See mysql_secure_installation — Improve MySQL Installation Security, and mysql_ssl_rsa_setup — Create SSL/RSA Files.

Data Directory Initialization Procedure

The following instructions assume that your current location is the MySQL installation directory, represented here by BASEDIR. Change location to that directory:


To initialize the data directory, invoke mysqld with the --initialize or --initialize-insecure option, depending on whether you want the server to generate a random initial password for the 'root'@'localhost' account, or to create that account with no password:

  • Use --initialize for secure by default installation (that is, including generation of a random initial root password). In this case, the password is marked as expired and you will need to choose a new one.

  • With the --initialize-insecure option, no root password is generated. This is insecure; it is assumed that you will assign a password to the account in timely fashion before putting the server into production use.


The server writes any messages (including any initial password) to its standard error output. This may be redirected to the error log, so look there if you do not see the messages on your screen. For information about the error log, including where it is located, see The Error Log.

On Windows, use the --console option to direct messages to the console.

On Unix and Unix-like systems, it is important for the database directories and files to be owned by the mysql login account so that the server has read and write access to them when you run it later. To ensure this, start mysqld from the system root account and include the --user option as shown here:

bin/mysqld --initialize --user=mysql
bin/mysqld --initialize-insecure --user=mysql

Alternatively, execute mysqld while logged in as mysql, in which case you can omit the --user option from the command.

On Windows, use one of these commands:

bin\mysqld --initialize --console
bin\mysqld --initialize-insecure --console

It might be necessary to specify other options such as --basedir or --datadir if mysqld cannot identify the correct locations for the installation directory or data directory. For example (enter the command on a single line):

bin/mysqld --initialize --user=mysql

Alternatively, put the relevant option settings in an option file and pass the name of that file to mysqld. For Unix and Unix-like systems, suppose that the option file name is /opt/mysql/mysql/etc/my.cnf. Put these lines in the file:


Then invoke mysqld as follows (enter the command on a single line with the --defaults-file option first):

bin/mysqld --defaults-file=/opt/mysql/mysql/etc/my.cnf
  --initialize --user=mysql

On Windows, suppose that C:\my.ini contains these lines:

basedir=C:\\Program Files\\MySQL\\MySQL Server 5.7

Then invoke mysqld as follows (enter the command on a single line with the --defaults-file option first):

bin\mysqld --defaults-file=C:\my.ini
   --initialize --console

Server Actions During Data Directory Initialization

When invoked with the --initialize or --initialize-insecure option, mysqld performs the following data directory initialization sequence.

  1. The server checks for the existence of the data directory as follows:

    • If no data directory exists, the server creates it.

    • If a data directory exists but is not empty (that is, it contains files or subdirectories), the server exits after producing an error message:

      [ERROR] --initialize specified but the data directory exists. Aborting.

      In this case, remove or rename the data directory and try again.

      As of MySQL 5.7.11, an existing data directory is permitted to be nonempty if every entry either has a name that begins with a period (.) or is named using an --ignore-db-dir option.


      Avoid the use of the --ignore-db-dir option, which has been deprecated since MySQL 5.7.16.

  2. Within the data directory, the server creates the mysql system database and its tables, including the grant tables, time zone tables, and server-side help tables. See The mysql System Database.

  3. The server initializes the system tablespace and related data structures needed to manage InnoDB tables.


    After mysqld sets up the InnoDB system tablespace, certain changes to tablespace characteristics require setting up a whole new instance. Qualifying changes include the file name of the first file in the system tablespace and the number of undo logs. If you do not want to use the default values, make sure that the settings for the innodb_data_file_path and innodb_log_file_size configuration parameters are in place in the MySQL configuration file before running mysqld. Also make sure to specify as necessary other parameters that affect the creation and location of InnoDB files, such as innodb_data_home_dir and innodb_log_group_home_dir.

    If those options are in your configuration file but that file is not in a location that MySQL reads by default, specify the file location using the --defaults-extra-file option when you run mysqld.

  4. The server creates a 'root'@'localhost' superuser account and other reserved accounts (see Section 5.4, “Reserved User Accounts”). Some reserved accounts are locked and cannot be used by clients, but 'root'@'localhost' is intended for administrative use and you should assign it a password.

    Server actions with respect to a password for the 'root'@'localhost' account depend on how you invoke it:

    • With --initialize but not --initialize-insecure, the server generates a random password, marks it as expired, and writes a message displaying the password:

      [Warning] A temporary password is generated for root@localhost:
    • With --initialize-insecure, (either with or without --initialize because --initialize-insecure implies --initialize), the server does not generate a password or mark it expired, and writes a warning message:

      [Warning] root@localhost is created with an empty password ! Please
      consider switching off the --initialize-insecure option.

    For instructions on assigning a new 'root'@'localhost' password, see later in this section.

  5. The server populates the server-side help tables used for the HELP statement (see HELP Syntax). The server does not populate the time zone tables. To do so manually, see MySQL Server Time Zone Support.

  6. If the --init-file option was given to name a file of SQL statements, the server executes the statements in the file. This option enables you to perform custom bootstrapping sequences.

    When the server operates in bootstrap mode, some functionality is unavailable that limits the statements permitted in the file. These include statements that relate to account management (such as CREATE USER or GRANT), replication, and global transaction identifiers.

  7. The server exits.

Post-Initialization root Password Assignment

After you initialize the data directory by starting the server with --initialize or --initialize-insecure, start the server normally (that is, without either of those options) and assign the 'root'@'localhost' account a new password:

  1. Start the server. For instructions, see Section 3.2, “Starting the Server”.

  2. Connect to the server:

    • If you used --initialize but not --initialize-insecure to initialize the data directory, connect to the server as root:

      mysql -u root -p

      Then, at the password prompt, enter the random password that the server generated during the initialization sequence:

      Enter password: (enter the random root password here)

      Look in the server error log if you do not know this password.

    • If you used --initialize-insecure to initialize the data directory, connect to the server as root without a password:

      mysql -u root --skip-password
  3. After connecting, use an ALTER USER statement to assign a new root password:

    ALTER USER 'root'@'localhost' IDENTIFIED BY 'root-password';

Attempts to connect to the host normally resolve to the localhost account. However, this fails if the server is run with the --skip-name-resolve option. If you plan to do that, make sure that an account exists that can accept a connection. For example, to be able to connect as root using --host= or --host=::1, create these accounts:

CREATE USER 'root'@'' IDENTIFIED BY 'root-password';
CREATE USER 'root'@'::1' IDENTIFIED BY 'root-password';

It is possible to put those statements in a file to be executed by the --init-file option discussed previously.

User Comments
User comments in this section are, as the name implies, provided by MySQL users. The MySQL documentation team is not responsible for, nor do they endorse, any of the information provided here.
  Posted by Ilguiz Latypov on May 10, 2016
I missed the my.cnf / my.ini encoding rule that interprets the back-slash character as an escape character.

It would make sense to emphasize this in my-default.ini, along with a suggestion to use forward-slashes instead of doubling back-slashes.
  Posted by Alex Kersha on August 6, 2016
For Windows users, after the first initialization of your MySQL instance, the terminal may open and close too quickly for you to see the return messages from the startup sequence. Check to make sure that the /data directory was created. Also, if successful and you used the --initialize parameter, there will be a "[computer name].err" file in the /data folder with the temporary one time use password for you to login as root for the first time.
Sign Up Login You must be logged in to post a comment.