Is MySQL port 3306 encrypted, and if no, how can I encrypt it?

Question

I am working through a security audit for a system at my work and one of the requirements is to encrypt all traffic through public/unprotected networks. Since we are accessing the MySQL database (over port 3306) on one of our external servers from our office network, the connection to MySQL needs to be encrypted.

Is it already encrypted, and if not, how can I encrypt it?

I am using tools and scripts which can't use fancy SSH-port-forwards or VPNs... is it still possible?

Answer 1

No, by default mysql traffic is not encrypted. Setting up MySQL to work with OpenSSL on a per-connection basis is your best bet. Most binaries are built with SSL support these days, but it's easy enough to check if your version will support it. From the documentation:

To check whether a server binary is compiled with SSL support, invoke it with the --ssl option. An error will occur if the server does not support SSL:

shell> mysqld --ssl --help
060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'

Answer 2

By default MySQL does not encrypt its client/server communication:

• https://dev.mysql.com/doc/refman/5.6/en/security-guidelines.html

You can setup MySQL to accept connections over SSL and require users to use SSL. Here's the guide for SSL setup:

• https://dev.mysql.com/doc/refman/5.6/en/encrypted-connections.html

MySQL 8:

• https://dev.mysql.com/doc/refman/8.0/en/security-guidelines.html
• https://dev.mysql.com/doc/refman/8.0/en/encrypted-connections.html