MySQL 8.0 Reference Manual Including MySQL NDB Cluster 8.0

4.4.2 mysql_secure_installation — Improve MySQL Installation Security

This program enables you to improve the security of your MySQL installation in the following ways:

mysql_secure_installation helps you implement security recommendations similar to those described at Section 2.10.4, “Securing the Initial MySQL Account”.

Normal usage is to connect to the local MySQL server; invoke mysql_secure_installation without arguments:


When executed, mysql_secure_installation prompts you to determine which actions to perform.

The validate_password component can be used for password strength checking. If the plugin is not installed, mysql_secure_installation prompts the user whether to install it. Any passwords entered later are checked using the plugin if it is enabled.

Most of the usual MySQL client options such as --host and --port can be used on the command line and in option files. For example, to connect to the local server over IPv6 using port 3307, use this command:

mysql_secure_installation --host=::1 --port=3307

mysql_secure_installation supports the following options, which can be specified on the command line or in the [mysql_secure_installation] and [client] groups of an option file. For information about option files used by MySQL programs, see Section, “Using Option Files”.

Table 4.8 mysql_secure_installation Options

Option Name Description Introduced
--defaults-extra-file Read named option file in addition to usual option files
--defaults-file Read only named option file
--defaults-group-suffix Option group suffix value
--help Display help message and exit
--host Host on which MySQL server is located
--no-defaults Read no option files
--password Accepted but always ignored. Whenever mysql_secure_installation is invoked, the user is prompted for a password, regardless
--port TCP/IP port number for connection
--print-defaults Print default options
--protocol Transport protocol to use
--socket Unix socket file or Windows named pipe to use
--ssl-ca File that contains list of trusted SSL Certificate Authorities
--ssl-capath Directory that contains trusted SSL Certificate Authority certificate files
--ssl-cert File that contains X.509 certificate
--ssl-cipher Permissible ciphers for connection encryption
--ssl-crl File that contains certificate revocation lists
--ssl-crlpath Directory that contains certificate revocation-list files
--ssl-fips-mode Whether to enable FIPS mode on client side
--ssl-key File that contains X.509 key
--tls-ciphersuites Permissible TLSv1.3 ciphersuites for encrypted connections 8.0.16
--tls-version Permissible TLS protocols for encrypted connections
--use-default Execute with no user interactivity
--user MySQL user name to use when connecting to server