The error “Public Key Retrieval is not allowed” happens because MySQL 8+ uses caching_sha2_password as the default authentication plugin.
When a client (like DBeaver) connects remotely, MySQL tries to use RSA public key encryption to secure the password. If the client does not allow retrieving the server’s public key, the connection fails with this error.
Solution
To fix this, you can set allowPublicKeyRetrieval=true in DBeaver’s Driver Properties.
Steps:
- Right click on the database connection that you want to connect to.
- Select Edit Connection from the menu.
- Switch to the tab Driver properties.
- Modify the allowPublicKeyRetrieval parameter to TRUE.
- Click OK to save the changes.
Now you can connect to your database without the error.
What allowPublicKeyRetrieval=true does
When you set this in DBeaver’s Driver Properties, the following happens behind the scenes:
Client knows it’s allowed to fetch the public key The JDBC driver checks this parameter. If false (default), the client will not request the public key, causing the “Public Key Retrieval is not allowed” error.
Client requests the public key from the server During connection initialization, the client asks the server for its RSA public key.
Client encrypts the password with the public key Once it has the key, the client encrypts its password.
Server decrypts and authenticates The server uses its private key to decrypt the password and verify the credentials.
Why it’s disabled by default
Security reason: Automatically fetching a public key could be exploited in a man-in-the-middle attack if connecting to an untrusted server.
Safe to enable in local development or trusted networks, but be cautious in production environments.