Run VESencrypt on our server
Run VESencrypt on your server


MySQL Trial Server

The trial VESencrypt proxy is running on a public network, therefore it cannot connect to a server running on a private network. If you use a private network to connect to your server, use a Container option instead.
Note, using the VESencrypt trial server is a very fast plug and play way to deploy VESencrypt for a trial in a real environment. But, all encryption/decryption takes place on a VESencrypt server. Conversely, choosing the Deploy Container option puts the VESencrypt instance on a server under your control and therefore allows you to have end-to-end encryption and a zero knowledge solution - this is the recommended option for proper production implementation.
A note on security. Even using the Trial version of VESencrypt on our server is more secure than using the encryption of data-at-rest provided by hosted services because the key and encrypted data are housed in different locations, with different access control, mitigating 3rd and 4th party data breach risk associated with those services. Deploying VESencrypt on your server only improves the level of security.

TLS is highly recommended but not required.

Deploy the Container

MySQL VESencrypt Proxy is available on the Docker Hub as vesvault/ve_mysql_svc.

MySQL Proxy listens on TCP port 3306.

To deploy the container using CLI on your application server:

  • Launch an instance of the container:
    docker run -it --restart always vesvault/ve_mysql_svc
  • This command will output a line such as:
    listen proto=mysql srv=[]:3306 sock=3
  • The address and port from the output above are to be used for the application settings, available on the server locally. You can use Ctrl+P Ctrl+Q to detach the Docker output and return to the console while keeping the container running.

Or, to deploy the container using any kind of host management console:

  • Launch an instance of the container vesvault/ve_mysql_svc
  • Find the IP address of the instance in the management console, this address and port 3306 are to be used for the application settings, available on the server locally.

TLS can be enabled by sharing your own certificate with the container and setting VE_TLS_CERT and VE_TLS_KEY environment variables to point to the certificate and the private key files.

Automatic SNIF certificate management will be available soon.

Security notice: DO NOT use Docker port mapping (-p option for CLI) on VESencrypt containers, as it negates the security benefits of VESencrypt. If you find it necessary to access the container from other hosts, use --network=host instead of port mapping.

Application Settings

Beware: If the VESencrypt profile has already been set up, or if the proxy username is supplied without the original server hostname, the proxy connection will stall until approved in the Profile Manager. Otherwise, a grace pass-through connection without encryption will be immediately established to the database server.

Replace the database server settings in your applicaiton as following:

  • Old Settings:
    Port: 13306
    User: acmeuser1
    Password: acmesecret1
  • New Settings:
    Host: try.vesencrypt.com172.17.0.2
    Port: 3306
    Password: acmesecret1
The password does not change.
If your software has problems with long usernames or special characters in a username, the proxy username can be reduced to, other values will need to be supplied manually in the VESencrypt Profile.
You may use the mysql console with the new proxy settings:
mysql -h try.vesencrypt.com172.17.0.2 -P 3306 -u '!acmeuser1!' -pacmesecret1

Proxy Connection Troubleshooting

Some MySQL clients and libraries, notably RazorSQL, misbehave in response to a hint from the VESencrypt Proxy to use cleartext authentication, and reject the session with vatious error messages. In such case, connect to application server or MySQL client to port 33306 instead of 3306, both for VESencrypt trial server and for a Docker deployed container.

VESencrypt Profile

Once the DB settings are applied, the application will connect to the VESencrypt proxy instance. As long as VESencrypt profile identified as!acmeuser1 does not exist, and host:port are provided an the username, the proxy will immediately open a pass-through Grace Connection, no encryption enabled yet.

Use the top right menu to log in / sign up with the real email address you are using instead of to receive the alerts from the proxy.

You ( will receive an incoming connection notification, and see an alert at the top of this page.

Follow the alert to the Profile Manager page to set up your VESencrypt profile.

Once the Profile is created, any further connections from new source IPs will be stalled until you approve or reject them in the Profile Manager.

Before approving any connection to the existing profile, make sure the connection is legitimate. Beware of potential hack attemtps to get hold of your encryption keys.


When changing the database host, username and/or password, it is necessary to update the VESencrypt Profile accordingly through the Profile Manager. The server settings pointing to the proxy do not need to be updated, by any request from a new IP will be automatically rejected be the Profile Manager if the requested password does not match the current password in the Profile.

In case of accidentally approving a non-legitimate proxy request, or if an unauthorized access to any server running a VESencrypt proxy is suspected, immediately change your database password, and follow the emergency management instructions to change the encryption key and re-encrypt the data.