MySQL cannot generate the AES key needed to encrypt the audit log because OpenSSL's EVP_BytesToKey function failed.
ER_AUDIT_LOG_COULD_NOT_CREATE_AES_KEY appears when MySQL fails to derive the AES key that encrypts audit logs, usually due to an invalid passphrase or missing OpenSSL libraries. Regenerate the key with a valid passphrase, confirm libssl compatibility, and restart the server to resolve the error.
ER_AUDIT_LOG_COULD_NOT_CREATE_AES_KEY
Error 3208 signals that MySQL could not generate the AES-256 key required to encrypt the audit log file. The server calls OpenSSL's EVP_BytesToKey function during startup or key rotation; if the call returns an error, MySQL aborts audit log initialization and throws ER_AUDIT_LOG_COULD_NOT_CREATE_AES_KEY.
The issue was introduced in MySQL 5.7.22 alongside native audit log encryption. Fixing it is critical because an unencrypted or inaccessible audit log leaves compliance gaps and can block the server from starting when FORCE_PLUS_PERMISSIVE is disabled.
Most cases trace back to an invalid or empty passphrase in audit_log_encryption_password or a mismatch between the configured encryption algorithm and the installed OpenSSL libraries. File permission problems that prevent MySQL from reading key material also trigger the failure.
Server upgrades may silently link MySQL to a different OpenSSL version that lacks required ciphers, breaking EVP_BytesToKey. Container images that omit libcrypto often surface the bug at runtime.
First, verify that audit_log_encryption_password and audit_log_rotate_password are non-blank and satisfy length rules (minimum 8 characters). Restart MySQL after setting them in my.cnf or as dynamic variables.
If the passphrase is correct, confirm that libssl and libcrypto are installed and compatible with your MySQL build. Reinstall the missing libraries or downgrades that removed legacy EVP functions.
When the key file is corrupted, drop it and force regeneration:
SET GLOBAL audit_log_encrypt=OFF; -- disable encryption temporarily
FLUSH LOGS; -- rotate to plain text and discard bad key
SET GLOBAL audit_log_encrypt=ON; -- recreate key with fresh passphrase
Inside Docker, the alpine image often lacks libcrypto.so. Install openssl-dev and restart the container to restore EVP_BytesToKey.
On Ubuntu 22.04, OpenSSL 3 deprecates some algorithms. Install the mysql-apt-config package that ships with OpenSSL 1.1 or compile MySQL against the new API.
Store audit_log_encryption_password in a secrets manager and inject it as an environment variable at startup to guarantee a valid passphrase.
Pin OpenSSL and MySQL package versions together in configuration management tools. Run a pre-flight script that calls openssl enc -aes-256-cbc to verify cipher availability before deploying MySQL.
ER_AUDIT_LOG_ENCRYPTION_PASSWORD_HAS_ALREADY_BEEN_SET occurs when attempting to change the passphrase without RESET MASTER - rotate the audit log first.
ER_AUDIT_LOG_CANNOT_OPEN_LOGFILE appears when the encrypted file cannot be created due to filesystem permissions; fix by chowning the log directory to the mysql user.
An empty audit_log_encryption_password prevents EVP_BytesToKey from generating a key.
Containers or minimal OS images without libssl or libcrypto make the function call fail.
Compiling MySQL with OpenSSL 3 while runtime links target OpenSSL 1.1 (or vice versa) disables required ciphers.
The MySQL user cannot read key files or the audit log directory, causing key creation to abort.
Raised when attempting to set the audit log password twice without rotation.
Indicates MySQL cannot create or access the audit log file - usually permission related.
Occurs when writing encrypted data fails due to corrupt key or disk issues.
Yes when audit_log_encrypt=ON and FORCE_PLUS_PERMISSIVE is disabled; MySQL may refuse to start. Disabling encryption lets the server boot but leaves logs unprotected.
In non-production labs, yes. In regulated environments (PCI, HIPAA) you should restore encryption quickly and document the downtime.
Usually. Ensure you flush logs and restart afterwards so MySQL regenerates the key with the new passphrase.
Galaxy surfaces startup errors in its connection panel, guides you through setting variables, and stores your my.cnf snippet so teams can version and share the correct audit log settings.
.avif)
.avif){kind=logo}
