# AES\_ENCRYPT

## Syntax

{% tabs %}
{% tab title="Current" %}

```sql
AES_ENCRYPT(str, key, [, iv [, mode]])
```

{% endtab %}

{% tab title="< 11.2" %}

```sql
AES_ENCRYPT(str,key_str)
```

{% endtab %}
{% endtabs %}

## Description

`AES_ENCRYPT()` and [AES\_DECRYPT()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/aes_decrypt) allow encryption and decryption of data using the official AES (Advanced Encryption Standard) algorithm, previously known as "Rijndael." Encoding with a 128-bit key length is used (from [MariaDB 11.2.0](https://app.gitbook.com/s/aEnK0ZXmUbJzqQrTjFyb/community-server/old-releases/11.2/11.2.0), this is the default, and can be changed). 128 bits is much faster and is secure enough for most purposes.

`AES_ENCRYPT()` encrypts a string *`str`* using the key *`key_str`*, and returns a binary string.

`AES_DECRYPT()` decrypts the encrypted string and returns the original string.

The input arguments may be any length. If either argument is `NULL`, the result of this function is also `NULL`.

Because AES is a block-level algorithm, padding is used to encode uneven length strings and so the result string length may be calculated using this formula:

```sql
16 x (trunc(string_length / 16) + 1)
```

If `AES_DECRYPT()` detects invalid data or incorrect padding, it returns `NULL`. However, it is possible for `AES_DECRYPT()` to return a non-`NULL` value (possibly garbage) if the input data or the key is invalid.

**MariaDB starting with** [**11.2**](https://app.gitbook.com/s/aEnK0ZXmUbJzqQrTjFyb/community-server/old-releases/11.2/what-is-mariadb-112)

{% tabs %}
{% tab title="Current" %}
The function supports an initialization vector, and control of the block encryption mode. The default mode is specified by the [block\_encryption\_mode](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#block_encryption_mode) system variable, which can be changed when calling the function with a mode. *mode* is aes-{128,192,256}-{ecb,cbc,ctr} for example: "AES-128-cbc".\
`AES_ENCRYPT(str, key)` can no longer be used in persistent virtual columns (and the like).
{% endtab %}

{% tab title="Tab 2" %}
The function does **not** support an initialization vector.
{% endtab %}
{% endtabs %}

## Examples

{% tabs %}
{% tab title="Current" %}

```sql
SELECT HEX(AES_ENCRYPT('foo', 'bar', '0123456789abcdef', 'aes-256-cbc')) AS x;
+----------------------------------+
| x                                |
+----------------------------------+
| 42A3EB91E6DFC40A900D278F99E0726E |
+----------------------------------+
```

{% endtab %}

{% tab title="< 11.2" %}

```sql
INSERT INTO t VALUES (AES_ENCRYPT('text',SHA2('password',512)));
```

{% endtab %}
{% endtabs %}

## See Also

* [RANDOM\_BYTES()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/random_bytes) is a function for generating good encryption keys for `AES_ENCRYPT`.
* [KDF()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/kdf) is a key derivation function which is useful if an authentication validation against the value is required without data being able to be decrypted.

<sub>*This page is licensed: GPLv2, originally from*</sub> [<sub>*fill\_help\_tables.sql*</sub>](https://github.com/MariaDB/server/blob/main/scripts/fill_help_tables.sql)

{% @marketo/form formId="4316" %}