Last tested: Oct 1, 2019
 

When moving a previously self-hosted instance to a MySQL backend, users are instructed to create a looker-db.yml file that contains the MySQL database credentials: https://docs.looker.com/setup-and-management/on-prem-mgmt/migrating-to-mysql#create_a_database_crede...

Those who do not want the clear text password for this configuration in a file on disk may optionally set environment variables for "LOOKER_DB" to accomplish the same thing.

You can set the environment variable "LOOKER_DB" to contain a list of key/values for each line in the looker-db.yml file.
export LOOKER_DB="dialect=mysql&host=localhost&username=root&password=&database=looker&port=3306"

We'd also recommend that they limit use of the MySQL user account created to the IP address used by your Looker server

It is important to also consider that, given Looker's encryption scheme, all sensitive data in the database is encrypted at rest.  If someone were to steal the database credentials, and access the database, the most sensitive of data, such as passwords, analytics db credentials, query cache etc, are all stored encrypted or hashed.