Centos 7

No, mysql_config_editor doesn't encrypt, but only obfuscates passwords, that might create a false sense of security.

But having the password in a script is not a good idea, it'll be visible to ps. Better to put your password in a separate file and specify it with --defaults-extra-file.

Even If we are specifying in a separate file it will be visible to every one right....
Here my concern is not to have the password visible to any user.. How can I achieve it??

Thanks in advance....

The file name, yes. But the file doesn't have to be world readable, you can make it readable only by that user who runs the backup job.

And that user will always be able to read the password, even if you use mysql_config_editor.

All you had to do was continue supporting the tool, and also set the permissions correctly on `$HOME/.mylogin.cnf`. Simple.

Before: A working tool with obfuscated logins, in a file which can be locked down to a specific user.
After: Non-working tool, unobfuscated logins in plaintext files, in a file which can be locked down to a specific user.

How is this better?

BTW, the default permissions on the config file created by `mysql_config_editor` are user read-write only.

This is as secure as your suggested replacement. More so, since it's also obfuscated.

Furthermore, there's this from the documentation for the tool.

> The login path file must be readable and writable to the current user, and inaccessible to other users. Otherwise, mysql_config_editor ignores it, and client programs do not use it, either.

It cannot be used if it is insecurely stored.

the bug report and my old answer was for 10.3. Since 10.4 one should prefer

sudo -u mysql /path/to/script

it won't need any password at all, readable or unreadable.