MANAGEMENT_API_SERVER: the zonal API
server's kubeconfig path. If you have not yet generated a kubeconfig file
for the API server in your targeted zone, see
Sign in for details.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide details the process of generating a pre-shared key (PSK), which serves as a shared secret password for authenticating and encrypting communication between devices.\u003c/p\u003e\n"],["\u003cp\u003eGenerating a PSK requires either VPN Admin or VPN Viewer roles, and it can be accomplished using methods such as OpenSSL, \u003ccode\u003e/dev/urandom\u003c/code\u003e on Linux/macOS, or JavaScript with the W3C Web Cryptography API.\u003c/p\u003e\n"],["\u003cp\u003eThe generated PSK, which should be a strong 32-character string, can then be used to create a secret in the platform namespace using a \u003ccode\u003ekubectl\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eThe provided instructions include examples of how to generate a PSK using each of the aforementioned methods, ensuring users have a variety of options depending on their needs and system setup.\u003c/p\u003e\n"],["\u003cp\u003eOnce the secret has been created using the PSK, the next step for the user is to configure a VPN tunnel, instructions to which can be found in a related document.\u003c/p\u003e\n"]]],[],null,["# Create the secret with a PSK\n\nThis page describes how to generate a pre-shared key (PSK) and use that PSK to create an authentication secret.\n\nA PSK is a shared secret password that is used to authenticate\nand encrypt communication between two devices. It is a form of symmetric\nencryption.\n\nBefore you begin\n----------------\n\nTo create a secret, you must have the necessary identity and access roles:\n\n- VPN Admin: Has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (`vpn-admin`) role.\n- VPN Viewer: Has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (`vpn-viewer`) role.\n- For more information, see [Role definitions](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/role-definitions).\n\nGenerate a PSK\n--------------\n\nUse the following methods to generate a strong 32-character pre-shared key.\n\n### OpenSSL\n\nFor more information about OpenSSL, see \u003chttps://www.openssl.org/\u003e.\nOn a Linux or macOS system, run the following OpenSSL\ncommand: \n\n```\nopenssl rand -base64 24\n```\n\n### /dev/urandom\n\nOn a Linux or macOS system, you can also use `/dev/urandom` as a pseudorandom\nsource to generate a pre-shared key:\n\n- On Linux or macOS, send the random input to `base64`:\n\n head -c 24 /dev/urandom | base64\n\n- Pass the random input through a hashing function, such as `sha256`:\n\n - On Linux:\n\n head -c 4096 /dev/urandom | sha256sum | cut -b1-32\n\n - On macOS:\n\n head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32\n\n### JavaScript\n\nGenerate the pre-shared key directly in a document by using JavaScript\nwith the W3C Web Cryptography API. For more information, see \u003chttps://www.w3.org/TR/WebCryptoAPI/#Crypto-method-getRandomValues\u003e\n\nThis API uses the\n`Crypto.getRandomValues()` method detailed here: \u003chttps://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues\u003e\nwhich provides a cryptographically sound way of generating a pre-shared key.\n\nThe following code creates an array of 24 random bytes, and then\nbase64 encodes those bytes to produce a random 32-character string: \n\n var a = new Uint8Array(24);\n window.crypto.getRandomValues(a);\n\n console.log(btoa(String.fromCharCode.apply(null, a)));\n\nCreate the secret\n-----------------\n\nCreate a secret with a PSK key in the platform namespace: \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e create secret -n platform generic \u003cvar translate=\"no\"\u003ePSK_NAME\u003c/var\u003e --from-literal=psk=\u003cvar translate=\"no\"\u003ePSK\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details.\n- \u003cvar translate=\"no\"\u003ePSK_NAME\u003c/var\u003e: The name of the PSK key.\n- \u003cvar translate=\"no\"\u003ePSK\u003c/var\u003e: The value of the PSK key.\n\nWhat's next\n-----------\n\n- [Create a VPN tunnel](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-the-tunnel)"]]
