Stay organized with collections
Save and categorize content based on your preferences.
You can use a pre-shared key (PSK) (also called a shared secret) to
authenticate the Cloud VPN tunnel to your peer VPN gateway. As a security
best practice, we recommend that you generate a strong 32-character
pre-shared key.
Use the following methods to generate a strong 32-character pre-shared key.
For definitions of terms used on this page, see
Key terms.
Generate a PSK by using JavaScript
You can generate the pre-shared key directly in a document by using JavaScript
with the
W3C Web Cryptography API.
This API uses the
Crypto.getRandomValues() method,
which provides a cryptographic way of generating a pre-shared key.
The following code generates a random 32-character string by creating an
array of 24 random bytes and then base64 encoding those bytes:
var a = new Uint8Array(24);
window.crypto.getRandomValues(a);
console.log(btoa(String.fromCharCode.apply(null, a)));
To generate a PSK now, click Regenerate:
Generate a PSK by using OpenSSL
In the Linux or macOS command-line interface, run the following
OpenSSL command:
openssl rand -base64 32
Generate a PSK by using /dev/urandom
On a Linux or macOS operating system, use /dev/urandom as a
pseudorandom source to generate a pre-shared key.
In the Linux or macOS command-line interface, run the following command to
send the random input to base64:
head -c 32 /dev/urandom | base64
Pass the random input through a hashing function, such as sha256:
On Linux:
head -c 4096 /dev/urandom | sha256sum | cut -b1-32
On macOS:
head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32
What's next
To use high-availability and high-throughput scenarios or multiple
subnet scenarios, see
Advanced configurations.
To help you solve common issues that you might encounter when using
Cloud VPN, see Troubleshooting.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Generate a strong pre-shared key\n\nYou can use a *pre-shared key (PSK)* (also called a *shared secret*) to\nauthenticate the Cloud VPN tunnel to your peer VPN gateway. As a security\nbest practice, we recommend that you generate a strong 32-character\npre-shared key.\n\nUse the following methods to generate a strong 32-character pre-shared key.\n\nFor more information about Cloud VPN, see the\n[Cloud VPN overview](/network-connectivity/docs/vpn/concepts/overview).\n\nFor definitions of terms used on this page, see\n[Key terms](/network-connectivity/docs/vpn/concepts/key-terms).\n\nGenerate a PSK by using JavaScript\n----------------------------------\n\nYou can generate the pre-shared key directly in a document by using JavaScript\nwith the\n[W3C Web Cryptography API](https://www.w3.org/TR/WebCryptoAPI/#Crypto-method-getRandomValues).\nThis API uses the\n[Crypto.getRandomValues() method](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues),\nwhich provides a cryptographic way of generating a pre-shared key.\n\nThe following code generates a random 32-character string by creating an\narray of 24 random bytes and then base64 encoding those bytes: \n\n```\n var a = new Uint8Array(24);\n window.crypto.getRandomValues(a);\n\n console.log(btoa(String.fromCharCode.apply(null, a)));\n```\n\nTo generate a PSK now, click **Regenerate**:\n\n```\n\n```\nRegenerate\n\nGenerate a PSK by using OpenSSL\n-------------------------------\n\nIn the Linux or macOS command-line interface, run the following\n[OpenSSL](https://www.openssl.org/) command: \n\n```\nopenssl rand -base64 32\n```\n\nGenerate a PSK by using `/dev/urandom`\n--------------------------------------\n\nOn a Linux or macOS operating system, use `/dev/urandom` as a\npseudorandom source to generate a pre-shared key.\n\n1. In the Linux or macOS command-line interface, run the following command to\n send the random input to `base64`:\n\n ```\n head -c 32 /dev/urandom | base64\n ```\n2. Pass the random input through a hashing function, such as `sha256`:\n\n - On Linux:\n\n ```\n head -c 4096 /dev/urandom | sha256sum | cut -b1-32\n ```\n - On macOS:\n\n ```\n head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32\n ```\n\nWhat's next\n-----------\n\n- To use high-availability and high-throughput scenarios or multiple subnet scenarios, see [Advanced configurations](/network-connectivity/docs/vpn/concepts/advanced).\n- To help you solve common issues that you might encounter when using Cloud VPN, see [Troubleshooting](/network-connectivity/docs/vpn/support/troubleshooting)."]]
