mysql - Mysqldump launched by cron and password security

Question

I wrote a script to backup my MySQL databases using:

mysqldump --opt --all-databases -u user -pmypassword > myDump.sql

A cron launches it every night and scp the result to another server. mypassword appears in clear in my script, everyone can see it with the appropriate rights. I have been told about /proc issues too (where the cmd run can be seen).

MySQL documentation says:

Specifying a password on the command line should be considered insecure. See Section 7.6, "Keeping Your Password Secure".

I have not found this magic 7.6 sections anywhere.

What is the good practice to deal with automatic mysqldump and password security?

Answer 1

Quoting the MySQL docs(http://dev.mysql.com/doc/refman/5.1/en/password-security-user.html):

Store your password in an option file. For example, on Unix you can list your password in the [client] section of the .my.cnf file in your home directory:

[client]
password=your_pass

To keep the password safe, the file should not be accessible to anyone but yourself. To ensure this, set the file access mode to 400 or 600. For example:

shell> chmod 600 .my.cnf

To name from the command line a specific option file containing the password, use the --defaults-file=file_name option, where file_name is the full path name to the file.