Encryption Functions

AES_ENCRYPT(string,key_string) , AES_DECRYPT(string,key_string) These functions allow encryption/decryption of data using the official AES (Advanced Encryption Standard) algorithm, previously known as Rijndael. Encoding with a 128-bit key length is used, but you can extend it up to 256 bits by modifying the source. We chose 128 bits because it is much faster and it is usually secure enough. The input arguments may be any length. If either argument is NULL, the result of this function is also NULL. As AES is a block-level algorithm, padding is used to encode uneven length strings and so the result string length may be calculated as 16*(trunc(string_length/16)+1). If AES_DECRYPT() detects invalid data or incorrect padding, it returns NULL. However, it is possible for AES_DECRYPT() to return a non-NULL value (possibly garbage) if the input data or the key are invalid. You can use the AES functions to store data in an encrypted form by modifying your queries:
    INSERT INTO t VALUES (1,AES_ENCRYPT('text','password'));
    
You can get even more security by not transferring the key over the connection for each query, which can be accomplished by storing it in a server side variable at connection time:
    SELECT @password:='my password';
    INSERT INTO t VALUES (1,AES_ENCRYPT('text',@password));
    
AES_ENCRYPT() and AES_DECRYPT() were added in version 4.0.2, and can be considered the most cryptographically secure encryption functions currently available in MySQL.
DECODE(crypt_str,pass_str) Descrypts the encrypted string crypt_str using pass_str as the password. crypt_str should be a string returned from ENCODE().
ENCODE(str,pass_str) Encrypt str using pass_str as the password. To decrypt the result, use DECODE(). The results is a binary string of the same length as string. If you want to save it in a column, use a BLOB column type.
DES_DECRYPT(string_to_decrypt [, key_string]) Decrypts a string encrypted with DES_ENCRYPT(). Note that this function only works if MySQL has been configured with SSL support. See Secure connections. If no key_string argument is given, DES_DECRYPT() examines the first byte of the encrypted string to determine the DES key number that was used to encrypt the original string, then reads the key from the des-key-file to decrypt the message. For this to work the user must have the SUPER privilege. If you pass this function a key_string argument, that string is used as the key for decrypting the message. If the string_to_decrypt doesn't look like an encrypted string, MySQL will return the given string_to_decrypt. On error, this function returns NULL.
DES_ENCRYPT(string_to_encrypt [, (key_number | key_string) ] ) Encrypts the string with the given key using the Triple-DES algorithm. Note that this function only works if MySQL has been configured with SSL support. See Secure connections. The encryption key to use is chosen the following way:
ArgumentDescription
Only one argument The first key from des-key-file is used.
key number The given key (0-9) from the des-key-file is used.
string The given key_string will be used to crypt string_to_encrypt.
ENCRYPT(str[,salt]) Encrypt str using the Unix crypt() system call. The salt argument should be a string with two characters. (As of MySQL Version 3.22.16, salt may be longer than two characters.)
    mysql> SELECT ENCRYPT("hello");
            -> 'VxuFAJXVARROc'
    
ENCRYPT() ignores all but the first 8 characters of str, at least on some systems. This behavior is determined by the implementation of the underlying crypt() system call. If crypt() is not available on your system, ENCRYPT() always returns NULL. Because of this we recommend that you use MD5() or SHA1() instead; these two functions exist on all platforms.
 
MD5(string) Calculates an MD5 128-bit checksum for the string. The value is returned as a 32-digit hex number that may, for example, be used as a hash key:
    mysql> SELECT MD5("testing");
            -> 'ae2b1fca515949e5d54fb22b8ed95575'
    
This is the "RSA Data Security, Inc. MD5 Message-Digest Algorithm".
 
PASSWORD(str) , OLD_PASSWORD(str) Calculates a password string from the plaintext password str. This is the function that is used for encrypting MySQL passwords for storage in the Password column of the user grant table:
    mysql> SELECT PASSWORD('badpwd');
            -> '7f84554057dd964b'
    
PASSWORD() encryption is non-reversible. PASSWORD() does not perform password encryption in the same way that Unix passwords are encrypted. See ENCRYPT(). Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should NOT use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC-2195 for more information about handling passwords and authentication securely in your application.
 
SHA1(string) , SHA(string) Calculates an SHA1 160-bit checksum for the string, as described in RFC 3174 (Secure Hash Algorithm). The value is returned as a 40-digit hex number, or NULL in case the input argument was NULL. One of the possible uses for this function is as a hash key. You can also use it as cryptographically safe function for storing passwords.
    mysql> SELECT SHA1("abc");
            -> 'a9993e364706816aba3e25717850c26c9cd0d89d'
    
SHA1() was added in version 4.0.2, and can be considered a cryptographically more secure equivalent of MD5(). SHA() is synonym for SHA1().