Generating a strong pre-shared key

You can use a pre-shared key (also called a shared secret or PSK) to authenticate the Cloud VPN tunnel to your peer VPN gateway. As a security best practice, we recommend that you generate a strong 32-character pre-shared key.

For more information about Cloud VPN, see the Cloud VPN overview.

For definitions of terms used on this page, see Key terms.

Generated for you

Your browser generates the following random string by using the JavaScript snippet at the end of this page. It is 24 bytes from Crypto.getRandomValues, and is base64-encoded to create a 32-character pre-shared key.

By using this snippet, the private key stays securely in your browser. If you want to generate it on your own system, use one of the generation methods listed in the next section.

To generate a new random pre-shared key, click the Regenerate button.

Generation methods

Use the following methods to generate a strong 32-character pre-shared key.


On a Linux or macOS system, run the following OpenSSL command:

openssl rand -base64 24


On a Linux or macOS system, you can also use /dev/urandom as a pseudorandom source to generate a pre-shared key:

  • On Linux or macOS, send the random input to base64:

    head -c 24 /dev/urandom | base64
  • Pass the random input through a hashing function, such as sha256:

    • On Linux:

      head -c 4096 /dev/urandom | sha256sum | cut -b1-32
    • On macOS:

      head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32


You can generate the pre-shared key directly in a document by using JavaScript with the W3C Web Cryptography API. This API uses the Crypto.getRandomValues() method, which provides a cryptographically sound way of generating a pre-shared key.

The following code creates an array of 24 random bytes, and then base64 encodes those bytes to produce a random 32-character string:

  var a = new Uint8Array(24);

  console.log(btoa(String.fromCharCode.apply(null, a)));

What's next