Generate a strong pre-shared key

You can use a pre-shared key (PSK) (also called a shared secret) to authenticate the Cloud VPN tunnel to your peer VPN gateway. As a security best practice, we recommend that you generate a strong 32-character pre-shared key.

Use the following methods to generate a strong 32-character pre-shared key.

For more information about Cloud VPN, see the Cloud VPN overview.

For definitions of terms used on this page, see Key terms.

Generate a PSK by using JavaScript

You can generate the pre-shared key directly in a document by using JavaScript with the W3C Web Cryptography API. This API uses the Crypto.getRandomValues() method, which provides a cryptographic way of generating a pre-shared key.

The following code generates a random 32-character string by creating an array of 24 random bytes and then base64 encoding those bytes:

  var a = new Uint8Array(24);
  window.crypto.getRandomValues(a);

  console.log(btoa(String.fromCharCode.apply(null, a)));

To generate a PSK now, click Regenerate:

Generate a PSK by using OpenSSL

In the Linux or macOS command-line interface, run the following OpenSSL command:

openssl rand -base64 32

Generate a PSK by using /dev/urandom

On a Linux or macOS operating system, use /dev/urandom as a pseudorandom source to generate a pre-shared key.

  1. In the Linux or macOS command-line interface, run the following command to send the random input to base64:

    head -c 32 /dev/urandom | base64
    
  2. Pass the random input through a hashing function, such as sha256:

    • On Linux:

      head -c 4096 /dev/urandom | sha256sum | cut -b1-32
      
    • On macOS:

      head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32
      

What's next

  • To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.