Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
En esta página, se describe cómo generar una clave precompartida (PSK) y usarla para crear un secreto de autenticación.
Una PSK es una contraseña secreta compartida que se usa para autenticar y encriptar la comunicación entre dos dispositivos. Es una forma de encriptación simétrica.
Antes de comenzar
Para crear un secreto, debes tener los roles de identidad y acceso necesarios:
Administrador de VPN: Tiene permisos de lectura y escritura en todos los recursos relacionados con la VPN. Pídele al administrador de IAM de tu organización que te otorgue el rol de administrador de VPN (vpn-admin).
Visualizador de VPN: Tiene permisos de lectura para todos los recursos relacionados con la VPN. Pídele al administrador de IAM de la organización que te otorgue el rol de visualizador de VPN (vpn-viewer).
MANAGEMENT_API_SERVER: Es la ruta de acceso de kubeconfig del servidor de la API zonal. Si aún no generaste un archivo kubeconfig para el servidor de la API en la zona de destino, consulta Accede para obtener más detalles.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-04 (UTC)"],[[["\u003cp\u003eThis guide details the process of generating a pre-shared key (PSK), which serves as a shared secret password for authenticating and encrypting communication between devices.\u003c/p\u003e\n"],["\u003cp\u003eGenerating a PSK requires either VPN Admin or VPN Viewer roles, and it can be accomplished using methods such as OpenSSL, \u003ccode\u003e/dev/urandom\u003c/code\u003e on Linux/macOS, or JavaScript with the W3C Web Cryptography API.\u003c/p\u003e\n"],["\u003cp\u003eThe generated PSK, which should be a strong 32-character string, can then be used to create a secret in the platform namespace using a \u003ccode\u003ekubectl\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eThe provided instructions include examples of how to generate a PSK using each of the aforementioned methods, ensuring users have a variety of options depending on their needs and system setup.\u003c/p\u003e\n"],["\u003cp\u003eOnce the secret has been created using the PSK, the next step for the user is to configure a VPN tunnel, instructions to which can be found in a related document.\u003c/p\u003e\n"]]],[],null,["# Create the secret with a PSK\n\nThis page describes how to generate a pre-shared key (PSK) and use that PSK to create an authentication secret.\n\nA PSK is a shared secret password that is used to authenticate\nand encrypt communication between two devices. It is a form of symmetric\nencryption.\n\nBefore you begin\n----------------\n\nTo create a secret, you must have the necessary identity and access roles:\n\n- VPN Admin: Has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (`vpn-admin`) role.\n- VPN Viewer: Has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (`vpn-viewer`) role.\n- For more information, see [Role definitions](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/role-definitions).\n\nGenerate a PSK\n--------------\n\nUse the following methods to generate a strong 32-character pre-shared key.\n\n### OpenSSL\n\nFor more information about OpenSSL, see \u003chttps://www.openssl.org/\u003e.\nOn a Linux or macOS system, run the following OpenSSL\ncommand: \n\n```\nopenssl rand -base64 24\n```\n\n### /dev/urandom\n\nOn a Linux or macOS system, you can also use `/dev/urandom` as a pseudorandom\nsource to generate a pre-shared key:\n\n- On Linux or macOS, send the random input to `base64`:\n\n head -c 24 /dev/urandom | base64\n\n- Pass the random input through a hashing function, such as `sha256`:\n\n - On Linux:\n\n head -c 4096 /dev/urandom | sha256sum | cut -b1-32\n\n - On macOS:\n\n head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32\n\n### JavaScript\n\nGenerate the pre-shared key directly in a document by using JavaScript\nwith the W3C Web Cryptography API. For more information, see \u003chttps://www.w3.org/TR/WebCryptoAPI/#Crypto-method-getRandomValues\u003e\n\nThis API uses the\n`Crypto.getRandomValues()` method detailed here: \u003chttps://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues\u003e\nwhich provides a cryptographically sound way of generating a pre-shared key.\n\nThe following code creates an array of 24 random bytes, and then\nbase64 encodes those bytes to produce a random 32-character string: \n\n var a = new Uint8Array(24);\n window.crypto.getRandomValues(a);\n\n console.log(btoa(String.fromCharCode.apply(null, a)));\n\nCreate the secret\n-----------------\n\nCreate a secret with a PSK key in the platform namespace: \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e create secret -n platform generic \u003cvar translate=\"no\"\u003ePSK_NAME\u003c/var\u003e --from-literal=psk=\u003cvar translate=\"no\"\u003ePSK\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details.\n- \u003cvar translate=\"no\"\u003ePSK_NAME\u003c/var\u003e: The name of the PSK key.\n- \u003cvar translate=\"no\"\u003ePSK\u003c/var\u003e: The value of the PSK key.\n\nWhat's next\n-----------\n\n- [Create a VPN tunnel](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-the-tunnel)"]]