Generate a strong pre-shared key
Stay organized with collections
Save and categorize content based on your preferences.
You can use a pre-shared key (PSK) (also called a shared secret) to authenticate the Cloud VPN tunnel to your peer VPN gateway. As a security best practice, we recommend that you generate a strong 32-character pre-shared key.
Use the following methods to generate a strong 32-character pre-shared key.
For more information about Cloud VPN, see the Cloud VPN overview.
For definitions of terms used on this page, see Key terms.
Generate a PSK by using JavaScript
You can generate the pre-shared key directly in a document by using JavaScript with the W3C Web Cryptography API. This API uses the Crypto.getRandomValues() method, which provides a cryptographic way of generating a pre-shared key.
The following code generates a random 32-character string by creating an array of 24 random bytes and then base64 encoding those bytes:
var a = new Uint8Array(24); window.crypto.getRandomValues(a); console.log(btoa(String.fromCharCode.apply(null, a)));
To generate a PSK now, click Regenerate:
Generate a PSK by using OpenSSL
In the Linux or macOS command-line interface, run the following OpenSSL command:
openssl rand -base64 32
Generate a PSK by using /dev/urandom
On a Linux or macOS operating system, use /dev/urandom as a
pseudorandom source to generate a pre-shared key.
In the Linux or macOS command-line interface, run the following command to send the random input to
base64:head -c 32 /dev/urandom | base64
Pass the random input through a hashing function, such as
sha256:On Linux:
head -c 4096 /dev/urandom | sha256sum | cut -b1-32
On macOS:
head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32
What's next
- To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.