The mysql_config_editor utility (available as
of MySQL 5.6.6) enables you to store authentication credentials
in an encrypted login file named
.mylogin.cnf. The file location is the
%APPDATA%\MySQL directory on Windows and
the current user's home directory on non-Windows systems. The
file can be read later by MySQL client programs to obtain
authentication credentials for connecting to MySQL Server.
To specify an alternate file name, set the
MYSQL_TEST_LOGIN_FILE environment variable.
This variable is used by the
mysql-test-run.pl testing utility, but also
is recognized by
mysql_config_editor and by
MySQL clients such as mysql,
mysqladmin, and so forth.
mysql_config_editor encrypts the
.mylogin.cnf file so it cannot be read as
clear text, and its contents when decrypted by client programs
are used only in memory. In this way, passwords can be stored in
a file in non-cleartext format and used later without ever
needing to be exposed on the command line or in an environment
variable. mysql_config_editor provides a
The encryption used by mysql_config_editor
prevents passwords from appearing in
.mylogin.cnf as clear text and provides a
measure of security by preventing inadvertent password exposure.
For example, if you display a regular unencrypted
my.cnf option file on the screen, any
passwords it contains are visible for anyone to see. With
.mylogin.cnf, that is not true. But the
encryption used will not deter a determined attacker and you
should not consider it unbreakable. A user who can gain system
administration privileges on your machine to access your files
could decrypt the
.mylogin.cnf file with
The login file must be readable and writable to the current
user, and inaccessible to other users. Otherwise,
mysql_config_editor ignores it, and the file
is not used by client programs, either. On Windows, this
constraint does not apply; instead, the user must have access to
The unencrypted format of the
login file consists of option groups, similar to other option
files. Each option group in
called a “login path,” which is a group that
permits only a limited set of options:
password. Think of a
login path as a set of values that indicate the server host and
the credentials for authenticating with the server. Here is an
[myloginpath] user = myname password = mypass host = 127.0.0.1
When you invoke a client program to connect to the server,
.mylogin.cnf is used in conjunction with
other option files. Its precedence is higher than other option
files, but less than options specified explicitly on the client
command line. For information about the order in which option
files are used, see Section 4.2.6, “Using Option Files”.
mysql_config_editor like this:
program_options consists of general
command indicates what command to perform,
command_options indicates any
additional options needed by the command.
The command indicates what action to perform on the
.mylogin.cnf login file. For example,
set writes a login path to the file,
remove removes a login path, and
The position of the command name within the set of program arguments is significant. For example, these command lines have the same arguments, but produce different results:
mysql_config_editor --help set mysql_config_editor set --help
The first command line displays general
mysql_config_editor help, and ignores the
set command. The second command line displays
help for the
Suppose that you want to establish two login paths named
connecting to the local MySQL server and a server on the host
remote.example.com. You want to authenticate
to the local server with a user name and password of
and to the remote server with a user name and password of
To set up the login paths in the
.mylogin.cnf file, use the following
set commands. Enter each command on a single
line, then enter the appropriate password when prompted.
mysql_config_editor set --login-path=local --host=localhost --user=localuser --passwordEnter password:
enter password "localpass" hereshell>
mysql_config_editor set --login-path=remote --host=remote.example.com --user=remoteuser --passwordEnter password:
enter password "remotepass" here
To see what mysql_config_editor wrote to the
.mylogin.cnf file, use the
mysql_config_editor print --all[local] user = localuser password = ***** host = localhost [remote] user = remoteuser password = ***** host = remote.example.com
As shown by the preceding examples, the
.mylogin.cnf file can contain multiple
login paths. In this way, mysql_config_editor
makes it easy to set up multiple “personalities”
for connecting to different MySQL servers. Any of these can be
selected by name later using the
option when you invoke a client program. For example, to connect
to the local server, use this command:
To connect to the remote server, use this command:
When you use the
set command with
mysql_config_editor to create a login path,
you need not specify all three possible option values (host
name, user name, and password). Only those values given are
written to the path. Any missing values required later can be
specified when you invoke a client path to connect to the MySQL
server, either in other option files or on the command line.
Also, any options specified on the command line override those
in option files, including the
file. For example, if the credentials in the
remote login path also apply for the host
remote2.example.com, you can connect to the
server on that host like this:
mysql --login-path=remote --host=remote2.example.com
.mylogin.cnf file, if it exists, is
read in all cases, even when the
--no-defaults option is used.
This permits passwords to be specified in a safer way than on
the command line even if
--no-defaults is present.
This section describes the permitted
mysql_config_editor commands, and the
interpretation of options that have a command-specific meaning.
In addition, mysql_config_editor takes other
options that can be used with any command, such as
--verbose to produce more information as
mysql_config_editor executes. This option may
be helpful in diagnosing problems if an operation does not have
the effect you expect. For a list of supported options, see
mysql_config_editor supports these commands:
Display a help message and exit.
Print the contents of
unencrypted form. Passwords are displayed as
Remove a login path from the
remove command takes these options:
Remove the host name from the login path.
The login path to remove. If this option is not given,
the default path name is
Remove the password from the login path.
Remove the TCP/IP port number from the login path.
Remove the Unix socket file name from the login path.
Remove the user name from the login path.
remove command removes from the login
path only such values as are specified with the
If none of them is given,
the entire login path. For example, this command removes
user value from the
client login path rather than the entire
client login path:
mysql_config_editor remove --login-path=client --user
Empty the contents of the
file. The file is created if it does not exist.
Write a login path to the
set command takes these options:
The host name to write to the login path.
The login path to create. If this option is not given,
the default path name is
Prompt for a password to write to the login path.
The TCP/IP port number to write to the login path.
The Unix socket file to write to the login path.
The user name to write to the login path.
set command writes to the login path
only such values as are specified with the
If none of those options are given,
mysql_config_editor writes the login path
as an empty group.
To specify an empty password, use the
command with the
option, then press Enter at the password prompt. The
resulting login path written to
.mylogin.cnf will include a line like
If the login path already exists in
set command replaces it. To ensure that
this is what the user wants,
mysql_config_editor prints a warning and
prompts for confirmation. To suppress the warning and
prompt, use the
mysql_config_editor supports the following options.
|--all||Print all login paths|
|--debug[=debug_options]||Write a debugging log|
|--help||Display help message and exit|
|--host=host_name||Host to write to login file|
|--login-path=name||Login path name|
|--password||Solicit password to write to login file|
|--port=port_num||TCP/IP port number to write to login file||5.6.11|
|--socket=path||The Unix socket file name to write to login file||5.6.11|
|--user=user_name||User name to write to login file|
|--version||Display version information and exit|
|--warn||Warn and solicit confirmation for overwriting login path|
Display a help message and exit. If preceded by a command
name such as
remove, displays information about that
Write a debugging log. A typical
debug_options string is
The default is
set command, the host name to
write to the login path. For the
command, removes the host name from the login path.
set commands, the login path to use
.mylogin.cnf login file.
Client programs also support the
--login-path option, to enable users to
specify which login path to use for connecting to a MySQL
server. For client programs,
must be the first option given, which is not true for
Section 4.2.7, “Command-Line Options that Affect Option-File Handling”.
set command, cause
mysql_config_editor to prompt for a
password and write the value entered by the user to the
login path. After mysql_config_editor
starts and displays the prompt, the user should type the
password and press Enter. To prevent other users from seeing
the password, mysql_config_editor does
not echo it.
This option does not permit a password value following the
option name. That is, with
mysql_config_editor, you never enter a
password on the command line where it might be seen by other
users. This differs from most other MySQL programs, which
permit the password to be given on the command line as
(That practice is insecure and should be avoided, however.)
remove command, removes the
password from the login path.
set command, the TCP/IP port
number to write to the login path. For the
remove command, removes the port number
from the login path.
set command, the Unix socket file
name to write to the login path. For the
remove command, removes the socket file
from the login path.
set command, the user name to
write to the login path. For the
command, removes the user name from the login path.
Verbose mode. Print more information about what the program does.
Display version information and exit.
set command, warn and prompt the
user for confirmation if the command attempts to overwrite
an existing login path. This option is enabled by default;
to disable it.