MySQL cannot start encrypted audit logging because no encryption password has been configured.
ER_AUDIT_LOG_ENCRYPTION_PASSWORD_HAS_NOT_BEEN_SET occurs when MySQL audit logging is set to ENCRYPTED but no encryption password exists. Set one with audit_log_encryption_password_set or retrieve the generated key with audit_log_encryption_password_get to resolve the warning and secure audit data.
ER_AUDIT_LOG_ENCRYPTION_PASSWORD_HAS_NOT_BEEN_SET
MySQL raises error 3207 when the audit_log plugin is configured to encrypt its output but no encryption password is currently defined. The server will auto-generate a temporary password, issue the warning, and continue running.
The condition first appeared in MySQL 5.7.22 alongside native support for encrypted JSON audit logs. Leaving the password unmanaged weakens security and complicates log rotation, so administrators should remediate immediately.
The audit_log plugin has log_encryption set to AES or RSA while audit_log_encryption_password has an empty value. On startup MySQL detects the mismatch and emits the error.
Upgrades where audit logging was previously unencrypted can also trigger the condition because the new default remains empty until manually set.
Create and store a strong password, then register it with MySQL. Use audit_log_encryption_password_set to persist it, or fetch the auto-generated key with audit_log_encryption_password_get and save it securely.
Changes take effect immediately; no server restart is required.
Fresh installs with encrypted audit logging need an initial password. Supply one at install time or in an automation script.
After version upgrades, verify that the password variable still exists in backup scripts and configuration management systems.
Always define audit_log_encryption_password in a secured configuration file managed by your secrets manager.
Rotate the password periodically and document the rotation procedure to satisfy compliance requirements.
ER_AUDIT_LOG_FILE_INVALID_FORMAT appears if the encrypted file has the wrong key. Regenerate the key or restore from backup.
ER_AUDIT_CANNOT_READ_FILE indicates permission issues on the log directory. Correct ownership or SELinux contexts.
audit_log.log_encryption is enabled but audit_log_encryption_password is blank.
Upgrading to 5.7.22 or higher inherits encryption defaults yet leaves the password unset.
An automation tool overwrites my.cnf and deletes the password entry.
Indicates the audit file cannot be decrypted with the supplied key.
MySQL lacks permission to read or write the audit log destination.
Password supplied to audit_log_encryption_password_set is below the minimum length.
No. audit_log_encryption_password_set applies immediately and new events are encrypted with the provided key.
Yes. Run audit_log_encryption_password_get and store the result in a secure vault.
You will not be able to decrypt archived audit logs. Always back up the key securely.
Galaxy's SQL editor highlights plugin warnings in results and lets you run the corrective procedures quickly, reducing downtime.
.avif)
.avif){kind=logo}
