--- title: "Upgrading MySQL 8.0 databases on Cloud Platform to utilize a SHA-2 based authentication plugin" date: "2026-04-27T20:55:48+00:00" summary: image: type: "article" url: "/acquia-cloud-platform/help/97366-upgrading-mysql-80-databases-cloud-platform-utilize-sha-2-based-authentication-plugin" id: "aed1fe06-2bef-427d-8c0e-8d3c95eb1186" --- Acquia is upgrading all MySQL 8.0 databases to the `caching_sha2_password` authentication plugin to ensure that digital experiences meet modern security and industry standards. This update changes the authentication from a SHA-1 based method to a SHA-2 based method to mitigate risks associated with older hashing methods, reflect industry-wide security best practices, and meet mandatory compliance requirements for Federal Risk and Authorization Management Program (FedRAMP) Note This update does not change customer application user records, credentials, or connection strings. ### **Frequently Asked Questions** **Q: Is there any action required on my part?** * If you access databases exclusively through Drupal or the Acquia-provided command line interface (CLI) through Secure Shell (SSH), no action is required because these methods are compatible with the updated SHA-2 authentication plugin. * If you use customized MySQL clients, legacy connection libraries, or non-standard database drivers that are not provided by Acquia Platform, you must ensure they support SHA-256 based authentication. Most modern tools and continuous integration and continuous delivery (CI/CD) pipelines support this standard. Customized agents that are not compatible with SHA-256 based authentication can experience connection failures. **Q: How to identify a customized MySQL database connection?** * If you [access the database primarily through Drupal or the Acquia-provided SSH pods](/acquia-cloud-platform/accessing-your-database-command-line "Accessing your database from the command line"), you are using the standard connection. * If you access database through external database connections that are initiated from outside the Acquia platform, you are using Customized MySQL database. External database connections are initiated through remote database administration tools or automated external integrations such as [MySQL Workbench](https://docs.acquia.com/acquia-cloud-platform/help/94096-connect-mysql-workbench-acquia-cloud-database?searchQuery=MySQL%20workbench&searchFiltersProducts=), As these tools rely on internal connection libraries, you must ensure that external software is updated to a version that supports the modern SHA-2 standard. **Q: Why is this change happening?** Cloud Next databases run Aurora Version 3 (MySQL 8.0). Although the community version of MySQL 8.0 moved to SHA-2 as the default authentication method, all Aurora Version 3 databases currently use `mysql_native_password`, which is based on SHA-1. For additional information, visit [AWS Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Compare-80-v3.html#AuroraMySQL.mysql80-authentication). SHA-1 is weak compared to SHA-256 based modern authentication standards such as `caching_sha2_password`. Also, SHA-1 is not compliant with Federal Information Processing Standards (FIPS). Transitions to `caching_sha2_password` (SHA-2) aligns the platform with global security best practices and ensures that data remains protected. Acquia is transitioning all MySQL 8.0 databases to this higher security standard to ensure alignment with industry best practices. This update ensures that customers benefit from modern protection against sophisticated attacks while meeting the latest National Institute of Standards and Technology (NIST) and FIPS requirements. These standards serve as a global benchmark for secure data handling. **Q: Will there be any downtime during this change?** While the update is applied, databases can drop active connections. Expect a brief interruption to site connectivity, typically lasting from a few seconds to 2 minutes. **Q: What happens if my external tooling is incompatible?** Incompatible drivers or libraries result in connection failures after the hashing type changes. The system might display error messages such as: * `'Authentication plugin 'caching_sha2_password' cannot be loaded'` * `'Authentication plugin 'caching_sha2_password' is not supported'` * `'.../caching_sha2_password.so: image not found'` * `'Client does not support authentication protocol requested by server'` If issues occur with a specific database after the change, Acquia recommends that you update the client to a version that supports SHA-256-based authentication. For additional questions, [contact Acquia Support](https://acquia.my.site.com/s/contactsupport).  **Q: Can I test this in my development environment before the production migration? If so, how?** You can test in non-production environments before the production migration. Acquia is upgrading non-production environments first and then production environments. After the non-production environment upgrade is complete, ensure that workflows function as expected in non-production environments to verify results before the scheduled production environment upgrades. To test the non-production environment after the upgrade: 1. Create a new environment or database for the non-production environment. This environment uses SHA-2. 2. Verify site functionality by ensuring that the site loads, serves pages, and performs read and write operations. For example, if content edits, form submissions, and cache clears function as expected, SHA-2 works correctly. The test is to confirm normal site operation. If the site cannot connect to the non-production database, [contact Acquia Support](https://acquia.my.site.com/s/contactsupport). **Q: Is there support available if I encounter issues during the update?** If you encounter blockers or connection failures during the update, [contact Acquia Support](https://acquia.my.site.com/s/contactsupport).