MySQL 8 Enterprise Security

Wednesday, May 1, 2019 by Lucas Vogel

MySQL Enterprise Edition provides plugins that implement security features using external services for Pluggable Authentication Modules (PAM) and Microsoft Active Directory, as well as an extra Oracle feature.

Category: Enterprise Features


Enterprise Security provides critical security infrastructure that isn't provided out of the box in the non-commercial Community Edition of MySQL Server.

PAM and LDAP

MySQL Enterprise Edition includes an authentication plugin that enables MySQL Server to use the PAM Pluggable Authentication Module plugin to authenticate MySQL users. PAM enables a system to use a standard interface to access various kinds of authentication methods, such as Unix passwords or an LDAP directory like OpenLDAP or Oracle Internet Directory.

Windows Pluggable Authentication

MySQL Enterprise Edition for Windows supports an authentication method that performs external authentication on Windows, enabling MySQL Server to use native Windows services to authenticate client connections. Users who have logged in to Windows can connect from MySQL client programs to the server based on the information in their environment without specifying an additional password. Using the Windows Pluggable Authentication plugin requires MySQL Enterprise be installed on a Windows server. By default, the plugin uses Kerberos to authenticate, then NTLM if Kerberos is unavailable.

Keyring Service

MySQL Enterprise Edition includes a keyring plugin that uses Oracle Key Vault, AWS and encrypted file, as a back end for keyring storage.

A keyring enables internal server components and plugins to securely store sensitive information for later retrieval, such as encryption keys for database components like the binary or audit log.

If any of these features sound like something you need in your MySQL implementation, feel free to reach out today for a free quote on licensing and hands-on support to get you into a pre-configured environment today!

Data Masking and De-Identification

MySQL 8 Enterprise includes masking and de-identification features to help keep sensitive data hidden from users in applications. Functions like mask_inner(), mask_pan() and mask_ssn() help developers ensure security and compliance in applications requiring the display of sensitive data to operators.

MySQL Enterprise Security Features