Syntax

AES_ENCRYPT(crypt_str, key_str, [, iv [, mode]])

AES_DECRYPT(crypt_str,key_str)

Description

This function allows decryption of data using the official AES (Advanced Encryption Standard) algorithm. For more information, see the description of .

_{This page is licensed: GPLv2, originally from}

Syntax

ENCODE(str,pass_str)

Description

Encrypt str using pass_str as the password. To decrypt the result, use .

The result is a binary string of the same length as str.

The strength of the encryption is based on how good the random generator is.

It is not recommended to rely on the encryption performed by the ENCODE function. Using a salt value (changed when a password is updated) will improve matters somewhat, but for storing passwords, consider a more cryptographically secure function, such as .

Examples

_{This page is licensed: GPLv2, originally from}

Syntax

KDF(key_str, salt [, {info | iterations} [, kdf_name [, width ]]])

Description

KDF is a key derivation function, similar to OpenSSL's EVP_KDF_derive(). The purpose of a KDF is to be slow, so if the calculated value is lost/stolen, the original key_str is not achievable easily with modern GPU. KDFs are therefore an ideal replacement for password hashes. KDFs can also pad out a password secret to the number of bits used in encryption algorithms.

For generating good encryption keys for a less expensive but cryptographically secure function like is recommended.

• kdf_name is "hkdf" or "pbkdf2_hmac" (default).

• Width (in bits) can be any number divisible by 8, by default it's taken from @@block_encryption_mode.

• Iterations must be positive, and is 1000 by default.

Note that OpenSSL 1.0 doesn't support HKDF, so in this case NULL is returned. This OpenSSL version is still used in SLES 12 and CentOS 7.

Examples

_{This page is licensed: CC BY-SA / Gnu FDL}

Syntax

Description

Encrypts a string using the Unix crypt() system call, returning an encrypted binary string. The salt

Syntax

In :

In all modes:

Syntax

Description

Returns the length that the compressed string had before being compressed with .

Syntax

DES_DECRYPT(crypt_str[,key_str])

Description

Decrypts a string encrypted with . If an error occurs, this function returns NULL.

This function works only if MariaDB has been configured with .

If no key_str argument is given, DES_DECRYPT() examines the first byte of the encrypted string to determine the DES key number that was used to encrypt the original string, and then reads the key from the DES key file to decrypt the message. For this to work, the user must have the SUPER privilege. The key file can be specified with the--des-key-file server option.

If you pass this function a key_str argument, that string is used as the key for decrypting the message.

If the crypt_str argument does not appear to be an encrypted string, MariaDB returns the given crypt_str.

_{This page is licensed: GPLv2, originally from}

Syntax

Description

Encrypts the string with the given key using the Triple-DES algorithm.

This function works only if MariaDB has been configured with .

The encryption key to use is chosen based on the second argument toDES_ENCRYPT(), if one was given. With no argument, the first key from the DES key file is used. With a key_num argument, the given key number (0-9) from the DES key file is used. With a key_str argument, the given key string is used to encrypt str.

The key file can be specified with the --des-key-file server option.

The return string is a binary string where the first character isCHAR(128 | key_num). If an error occurs, DES_ENCRYPT() returns NULL.

The 128 is added to make it easier to recognize an encrypted key. If you use a string key, key_num is 127.

The string length for the result is given by this formula:

Each line in the DES key file has the following format:

Each key_num value must be a number in the range from 0 to 9. Lines in the file may be in any order. des_key_str is the string that is used to encrypt the message. There should be at least one space between the number and the key. The first key is the default key that is used if you do not specify any key argument to DES_ENCRYPT().

You can tell MariaDB to read new key values from the key file with the FLUSH DES_KEY_FILE statement. This requires the RELOAD privilege.

One benefit of having a set of default keys is that it gives applications a way to check for the existence of encrypted column values, without giving the end user the right to decrypt those values.

Examples

See Also

_{This page is licensed: GPLv2, originally from}

Syntax

COMPRESS(string_to_compress)

Description

Compresses a string and returns the result as a binary string. This function requires MariaDB to have been compiled with a compression library such as zlib. Otherwise, the return value is always NULL. The compressed string can be uncompressed with .

The server system variable indicates whether a compression library is present.

Examples

See Also

_{This page is licensed: GPLv2, originally from}

Syntax

Description

Calculates an MD5 128-bit checksum for the string.

The return value is a 32-hex digit string, and a nonbinary string in the connection

Syntax

Description

OLD_PASSWORD()

Syntax

Description

Calculates an SHA-1 160-bit checksum for the string

The RANDOM_BYTES function generates a binary string of random bytes.

Syntax

Description

Given a length from 1 to 1024, generates a binary string of length consisting of random bytes generated by the SSL library's random number generator.

See the RAND_bytes() function documentation of your SSL library for information on the random number generator. In the case of , a cryptographically secure pseudo random generator (CSPRNG) is used.

Statements containing the RANDOM_BYTES function are .

An error occurs if length is outside the range 1 to 1024.

_{This page is licensed: CC BY-SA / Gnu FDL}

Syntax

SHA2(str,hash_len)

Description

Given a string str, calculates an SHA-2 checksum, which is considered more cryptographically secure than its equivalent. The SHA-2 family includes SHA-224, SHA-256, SHA-384, and SHA-512, and the hash_len must correspond to one of these, i.e. 224, 256, 384 or 512. 0 is equivalent to 256.

The return value is a nonbinary string in the connection , determined by the values of the and system variables.

NULL is returned if the hash length is not valid, or the string str is NULL.

Examples

_{This page is licensed: CC BY-SA / Gnu FDL}

Syntax

AES_ENCRYPT(str, key, [, iv [, mode]])

AES_ENCRYPT(str,key_str)

Description

AES_ENCRYPT() and allow encryption and decryption of data using the official AES (Advanced Encryption Standard) algorithm, previously known as "Rijndael." Encoding with a 128-bit key length is used (from , this is the default, and can be changed). 128 bits is much faster and is secure enough for most purposes.

AES_ENCRYPT() encrypts a string str using the key key_str, and returns a binary string.

AES_DECRYPT() decrypts the encrypted string and returns the original string.

The input arguments may be any length. If either argument is NULL, the result of this function is also NULL.

Because AES is a block-level algorithm, padding is used to encode uneven length strings and so the result string length may be calculated using this formula:

If AES_DECRYPT() detects invalid data or incorrect padding, it returns NULL. However, it is possible for AES_DECRYPT() to return a non-NULL value (possibly garbage) if the input data or the key is invalid.

MariaDB starting with

Examples

See Also

• is a function for generating good encryption keys for AES_ENCRYPT.

• is a key derivation function which is useful if an authentication validation against the value is required without data being able to be decrypted.

_{This page is licensed: GPLv2, originally from}

Syntax

UNCOMPRESS(string_to_uncompress)

Description

Uncompresses a string compressed by the COMPRESS() function. If the argument is not a compressed value, the result is NULL. This function requires MariaDB to have been compiled with a compression library such as zlib. Otherwise, the return value is always NULL. The server system variable indicates whether a compression library is present.

Examples

_{This page is licensed: GPLv2, originally from}

Syntax

PASSWORD(str)

Description

The PASSWORD() function is used for hashing passwords for use in authentication by the MariaDB server. It is not intended for use in other applications.

Calculates and returns a hashed password string from the plaintext password str. Returns an empty string if the argument is NULL.

The return value is a nonbinary string in the connection , determined by the values of the and system variables.

This is the function that is used for hashing MariaDB passwords for storage in the Password column of the (see ), usually used with the statement. It is not intended for use in other applications.

The function takes into account the authentication plugin where applicable (a or statement). For example, when used in conjunction with a user authenticated by the , the statement will create a longer hash:

The behavior of this function is affected by the value of the system variable. If this is set to 1 (0 is default), MariaDB reverts to using the by default for newly created users and passwords.

Examples

See Also

• - permits the setting of basic criteria for passwords

• - pre-MySQL 4.1 password function

_{This page is licensed: GPLv2, originally from}