Generating a Strong Pre-shared Key

A pre-shared key (also called a shared secret or PSK) is used to authenticate the Cloud VPN tunnel to your on-premises VPN gateway. As a security best practice, we recommend that you generate a strong 32-character shared secret.

Generated for you

The random string below has been generated by your browser using the JavaScript snippet at the bottom of this page. It is 24 bytes from Crypto.getRandomValues, base64 encoded to create a 32 character PSK.

With this snippet, the private key stays securely in your browser. If you wish to generate it on your own system, use one of the Generation methods below.

The Regenerate button will generate a new, random PSK when clicked.

Generation methods

Use the following methods to generate a strong 32-character shared secret.


Run the following OpenSSL command on a Linux or macOS system to generate a shared secret:

openssl rand -base64 24


On Linux or macOS, use /dev/urandom as a pseudorandom source for generating a shared secret:

  • On Linux or macOS, you can send the random input to base64:
      head -c 24 /dev/urandom | base64
  • You can pass the random input through a hashing function, like sha256:
    • On Linux:
         head -c 4096 /dev/urandom | sha256sum | cut -b1-32
    • On macOS:
         head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32


You can also generate the pre-shared key directly in a doc page using JavaScript with the W3C Web Cryptography API. This API uses the Crypto.getRandomValues() method, which provides a cryptographically sound way of generating a pre-shared key.

The code below will create an array of 24 random bytes, and then base64 encode those bytes to produce a random 32-character string.

  var a = new Uint8Array(24);

  console.log(btoa(String.fromCharCode.apply(null, a)));

What's next

Was this page helpful? Let us know how we did:

Send feedback about...