Generating a strong pre-shared key

A pre-shared key (also called a shared secret or PSK) is used to authenticate the Cloud VPN tunnel to your peer VPN gateway. As a security best practice, it's recommended that you generate a strong 32-character shared secret.

Generated for you

The random string below has been generated by your browser using the JavaScript snippet at the bottom of this page. It is 24 bytes from Crypto.getRandomValues, base64 encoded to create a 32 character PSK.

With this snippet, the private key stays securely in your browser. If you wish to generate it on your own system, use one of the Generation methods below.

The Regenerate button will generate a new, random PSK when clicked.

Generation methods

Use the following methods to generate a strong 32-character shared secret.

Using OpenSSL to generate a shared secret

Run the following OpenSSL command on a Linux or macOS system to generate a shared secret:

openssl rand -base64 24

Using /dev/urandom to generate a shared secret

On Linux or macOS, you can also use /dev/urandom as a pseudorandom source to generate a shared secret:

  • On Linux or macOS, you can send the random input to base64:
    head -c 24 /dev/urandom | base64
  • You can pass the random input through a hashing function, like sha256:
    • On Linux:
      head -c 4096 /dev/urandom | sha256sum | cut -b1-32
    • On macOS:
      head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32

Using JavaScript to generate a pre-shared key

You can also generate the pre-shared key directly in a doc page using JavaScript with the W3C Web Cryptography API. This API uses the Crypto.getRandomValues() method, which provides a cryptographically sound way of generating a pre-shared key.

The code below will create an array of 24 random bytes, and then base64 encode those bytes to produce a random 32-character string.

  var a = new Uint8Array(24);

  console.log(btoa(String.fromCharCode.apply(null, a)));

What's next