How to Enable Encryption in Transit in MySQL

How do I enable and enforce encryption in transit in MySQL?

Encryption in transit forces client-server traffic to travel through SSL/TLS, protecting credentials and query data from network snooping.

Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)

Oops! Something went wrong while submitting the form.

Description

Example H2

Example H3

Why encrypt MySQL traffic?

Plain-text MySQL sessions expose logins, card numbers, and order details to anyone on the wire. Enabling SSL/TLS closes that gap, meeting PCI-DSS and GDPR rules without rewriting queries.

Which MySQL settings activate SSL/TLS?

Add the CA, server certificate, and private key paths to my.cnf (or my.ini) under [mysqld]. Restart the server so it advertises TLS during the handshake.

How do I create users that must use SSL?

Use CREATE USER or ALTER USER with the REQUIRE clause. This flags the account so any non-encrypted login fails immediately.

What is the full syntax?

The REQUIRE clause supports SSL, X509, issuer, subject, and cipher checks. Combine them to lock clients to specific certificates or algorithms.

How can clients confirm they are encrypted?

Run SHOW STATUS LIKE 'Ssl_cipher'. A non-empty value proves the session is using TLS. Scripts can assert this after connecting.

Example workflow for an ecommerce stack

1. Update server config

\# my.cnf[mysqld]ssl-ca = /etc/mysql/certs/ca.pemssl-cert = /etc/mysql/certs/server-cert.pemssl-key = /etc/mysql/certs/server-key.pem

2. Provision a user

CREATE USER 'app_user'@'%' IDENTIFIED BY 'S3cure!' REQUIRE SSL;

3. Connect from the app

mysql --ssl-mode=REQUIRED --ssl-ca=ca.pem -u app_user -p

4. Query over the secure channel

SELECT c.name, SUM(oi.quantity) AS itemsFROM Customers cJOIN Orders o ON o.customer_id = c.idJOIN OrderItems oi ON oi.order_id = o.idWHERE o.order_date >= CURDATE() - INTERVAL 30 DAYGROUP BY c.name;

Best practices for production

Rotate certificates annually, store keys outside the repo, enforce ssl-mode=REQUIRED on all clients, and monitor performance_schema.session_status for Ssl* metrics.

What mistakes should I avoid?

Do not leave ssl-mode=DISABLED in connection strings after testing. Avoid self-signed certificates in production—use a trusted internal CA.

Why How to Enable Encryption in Transit in MySQL is important

How to Enable Encryption in Transit in MySQL Example Usage


-- Run analytic query once SSL is confirmed
SELECT p.name AS product,
       SUM(oi.quantity) AS units_sold,
       SUM(oi.quantity * p.price) AS revenue
FROM OrderItems oi
JOIN Products p ON p.id = oi.product_id
JOIN Orders o  ON o.id = oi.order_id
WHERE o.order_date BETWEEN '2023-01-01' AND '2023-12-31'
GROUP BY p.name
ORDER BY revenue DESC;

How to Enable Encryption in Transit in MySQL Syntax


-- Server-side configuration in my.cnf
[mysqld]
ssl-ca     = /etc/mysql/certs/ca.pem
ssl-cert   = /etc/mysql/certs/server-cert.pem
ssl-key    = /etc/mysql/certs/server-key.pem

-- Create user who must use any SSL cipher
CREATE USER 'app_user'@'%' IDENTIFIED BY 'S3cure!' REQUIRE SSL;

-- Lock down to a specific cipher and issuer
ALTER USER 'report_user'@'10.%' REQUIRE ISSUER '/CN=Galaxy-CA' CIPHER 'TLS_AES_256_GCM_SHA384';

-- Client connection enforcing TLS
mysql \
  --ssl-mode=REQUIRED \
  --ssl-ca=/etc/mysql/certs/ca.pem \
  --user=app_user -p

-- Verify encryption inside session
SHOW STATUS LIKE 'Ssl_cipher';

Common Mistakes

Mistake: Adding SSL files to my.cnf but forgetting to restart MySQL. The server continues to accept plain connections. Fix: Always restart or reload mysqld after certificate changes.
Mistake: Setting client flag <code>--ssl-mode=PREFERRED</code>. If negotiation fails, traffic downgrades to plaintext. Fix: Use <code>--ssl-mode=REQUIRED</code> or <code>VERIFY_CA</code>.