The server warns that the provided AES key length is insecure; use an exact 16, 24, or 32 byte key or a secure KDF.
WARN_AES_KEY_SIZE in MySQL appears when the AES_ENCRYPT or AES_DECRYPT key is not 16, 24, or 32 bytes. Provide a correctly sized key or derive one with HKDF or PBKDF2 to eliminate the warning.
WARN_AES_KEY_SIZE
Error 3237 with condition name WARN_AES_KEY_SIZE is a security warning introduced in MySQL 5.7.40. The server detects that the key supplied to AES_ENCRYPT or AES_DECRYPT does not match accepted lengths or was not derived by a secure KDF.
The database expects a key of 16, 24, or 32 bytes to align with AES-128, AES-192, or AES-256. Any other length risks reduced entropy, so MySQL raises this warning to steer users toward best practices.
The warning is triggered when an application calls AES_ENCRYPT, AES_DECRYPT, or key management functions with a key whose length is not 16, 24, or 32 bytes. MySQL also raises it if an outdated SHA1 or MD5 hash is used instead of HKDF or PBKDF2.
It appears in logs, client messages, or SHOW WARNINGS output after statements that process encryption.
Always supply an exact key length. If you already have random bytes, truncate or pad to 16, 24, or 32 bytes. If your secret is a passphrase, derive a key using a modern KDF like PBKDF2 or HKDF inside MySQL 8.0 or in application code.
Legacy applications often call AES_ENCRYPT(column,'password') where 'password' is fewer than 16 bytes. Replace that literal with UNHEX(SHA2('password',256)) or a binary column that stores HKDF output.
Data migrations may copy keys from other systems. Verify byte length with SELECT OCTET_LENGTH(key_col) and standardize lengths before encryption.
Store keys in binary columns with NOT NULL and check constraints on length. Use parameterized queries to avoid accidental string truncation. Prefer AES functions that accept a binary key rather than literals.
Monitor SHOW WARNINGS and error logs in Galaxy or your CI pipeline. Add automated tests that attempt an encryption round trip and alert on warnings.
Passing a human readable password like "secret" directly into AES_ENCRYPT leads to a 6 byte key and triggers the warning.
Some systems generate 64 byte hex strings and pass them untrimmed, resulting in 32+ bytes after UNHEX and causing the warning.
Using SHA1 or MD5 to hash a passphrase is considered insecure; MySQL flags this unless HKDF or PBKDF2 are employed.
Supplying a VARCHAR value without CAST AS BINARY may change length due to character set encoding, leading to an unexpected key size.
Raised when AES_ENCRYPT arguments are NULL or types do not match. Different from WARN_AES_KEY_SIZE which focuses on key length.
Occurs when KDF parameters are malformed. Often appears together with key size warnings.
Indicates use of deprecated encryption functions like AES_ENCRYPT(str,key_str) without mode options.
No. It is a warning, not an error, so the statement completes. However, you should correct it to maintain strong encryption.
Ignoring reduces security and can be blocked by future MySQL versions. Always fix by using correct key lengths or KDFs.
MySQL 5.7.40 and all 8.0 versions include this warning. Earlier releases silently accepted bad key lengths.
Galaxy surfaces SHOW WARNINGS output in the editor, flags security issues inline, and suggests KDF based fixes through its AI copilot.
.avif)
.avif){kind=logo}
