I normally do not endorse any one specific product, but in this case I will make an exception.
I have personally evaluated a product called Gazzang. It can encrypt data in such a way that when transported to another server, the data is unreadable unless the encryption key is copied and verified on that external server. I have tried this and copied /var/lib/mysql on another server that did not have the encryption key. The only SQL command that worked with the database encrypted is SHOW DATABASES;
. Nothing else worked.
There are some hoops to jump through to get an entire /var/lib/mysql
folder encrypted. Once done, you never have to worry about data encryption. Perhaps you could start like this:
- Installation MySQL on a DB Server
- Apply Gazzang's ezncrypt program against the empty
/var/lib/mysql
- Load a mysqldump into it
The beautiful part of my evaluation was that the MySQL data was fully accessible by standard DB Connections. Gazzang does not shield normal access protocols. You must take up responsibility for securing passwords:
EPILOGUE
As for the physical data itself, this worked during the 30-day evaluation. Please evaluate it for yourself. I will leave it to you to investigate production case studies on Gazzang.
UPDATE 2015-09-29 12:26 EDT
Cloudera purchased and deprecated Gazzang.
Cloudera Data Encryption is still available.
Here is a more secure way to reset password without skip-grant-tables
Suppose you want root to have myn3wp@ssw0rd
as the password
Step 01 : Create a script to execute when mysqld first start up
Create a file called /var/lib/mysql/init-file.sql
with these two lines
GRANT ALL PRIVILEGES ON *.* to root@localhost
IDENTIFIED BY 'myn3wp@ssw0rd' WITH GRANT OPTION;
Step 02 : Run these three(3) lines in the OS
chown mysql:mysql /var/lib/mysql/init-file.sql
service mysql restart --init-file=/var/lib/mysql/init-file.sql
rm -f /var/lib/mysql/init-file.sql
Step 03 : THERE IS NO STEP 03
. YOU ARE DONE !!!
Give it a Try !!!
CAVEAT
UPDATE 2013-06-17 07:05 EDT
OK Since mysqld for Ubuntu does not like init-file on the command, you must edit the my.cnf
. Please do these next two steps
STEP 01) Add these lines to my.cnf
under the [mysqld]
group header
[mysqld]
init-file=/var/lib/mysql/init-file.sql
STEP 02) Allow mysql to read files from /etc/mysql
sudo vim /etc/apparmor.d/usr.sbin.mysqld
Add the line:
/etc/mysql/*.sql r,
STEP 03) Restart MySQL
This should work for you. Give it a Try !!!
Best Answer
As indicated there is no option.
The person that has the ability to trigger the mysqld with
--init-file
is either root or the mysql user who can overwrite all of the mysqldatadir including all permission tables of the mysql. That is why there isn't even a considered option to achieve this.