Mysqldump launched by cron and password security

I wrote a script to backup my MySQL databases using:

mysqldump --opt --all-databases -u user -pmypassword > myDump.sql

A cron launches it every night and scp the result to another server. mypassword appears in clear in my script, everyone can see it with the appropriate rights. I have been told about /proc issues too (where the cmd run can be seen).

MySQL documentation says:

> Specifying a password on the command line should be considered insecure. See Section 7.6, "Keeping Your Password Secure".

I have not found this magic 7.6 sections anywhere.

What is the good practice to deal with automatic mysqldump and password security?

Quoting the MySQL docs(<http://dev.mysql.com/doc/refman/5.1/en/password-security-user.html>;): >Store your password in an option file. For example, on Unix you can list your password in the [client] section of the .my.cnf file in your home directory: > > [client] > password=your_pass > >To keep the password safe, the file should not be accessible to anyone but yourself. To ensure this, set the file access mode to 400 or 600. For example: > > shell> chmod 600 .my.cnf > >To name from the command line a specific option file containing the password, use the --defaults-file=file_name option, where file_name is the full path name to the file.

to add to Sahil's answer above, use --defaults-extra-file

--defaults-extra-file is used to tell a program to read a single specific option file in addition to the standard option files.

whereas --defaults-file is read instead of the default my.cnf file.

The accepted answer stores the password in a plain text file, which could be read by anyone with administrative (root) access. If your database is in a shared hosting environment, this is undesirable.

A better option would be to use mysql_config_editor to create an encrypted login path named mysqldump. According to the MySQL documentation:

> mysql_config_editor encrypts the .mylogin.cnf file so it cannot be read as cleartext, and its contents when decrypted by client programs are used only in memory. In this way, passwords can be stored in a file in non-cleartext format and used later without ever needing to be exposed on the command line or in an environment variable.

The following command will create your mysqldump login path:

mysql_config_editor set --login-path=mysqldump --host=your_hostname --user=your_username --password

You will be prompted to enter your password, and the login path you created will be stored in encrypted format. mysqldump will automatically use this login path whenever you call it in the future, unless you specify a different login path with the --login-path command line option.

Here is how you would invoke mysqldump after creating an encrypted login path:

mysqldump database_name > output_file

All answers here are in pieces so sharing a complete command which will do the required and must be used if database are heavy in size, --single-transaction and --lock-tables are very important here

mysqldump --defaults-extra-file=/home/dangi/.my.cnf -u root --single-transaction --quick --lock-tables=false --all-databases (or) DATABASE | gzip > OUTPUT.gz;

Note: Answer is in add of Avibodha and sahil answer, they have already made the point. I am just putting their answer in single piece of code with important measure should be taken at time of backing up live database

Check out Keeping Passwords Secure for a good answer. You can store your password in the my.cnf file changing the permissions on that file to keep the password secure.

You can also check the last comment on this page too:

MYSQL_PWD="tinkerbell" mysqldump -ubackup --all-databases > dump.sql

The following method works for me on a Windows machine, if you have 2 versions of MySQL installed, and you are not sure which my.ini is used when you run mysqldump, this will also help:

1, C:\ProgramData\MySQL\MySQL Server 5.6\my.ini, fine [client], replace it to:

[client]
user=my_user
password=my_password

2, Use this command:

C:\Program Files\MySQL Server 5.6\bin>mysqldump --default-extra-file="C:\ProgramData\MySQL\MySQL Server 5.6\my.ini" -u my_user db_to_export > db_to_export.sql