Showing results for 
Search instead for 
Did you mean: 

How to generate secure pre-shared keys (PSK) for an IPSec VPN

Philip D'Ath

I build VPNs regularly, and one of the problems that comes up regularly is how to exchange PSK's.  Some people are happy to exchange them over email, and others not (particularly because of ISO/IEC 27002).

Some people like to use TXT messages - but this is horrible.  I would say 90% of the PSK's that people try to TXT me get mangled.  What ends up happening is you usually weaken the key a lot to get it through the TXT system - but the whole point of a PSK is to provide initial security, so this really feels wrong to me.

Other people try to actually recite them over the phone.  This is also horrible.  More often than not you spend an hour trying to type in the key, trying the VPN, have it fail, and repeat until it works.  Sometimes the key, once again, gets weakened so it can be read out over a phone.

What to do?  Well, I pondered the issue for a while, and then wrote a tool to make the problem simpler.

I admit, its' not perfect, but better than using a TXT message or trying to recite the key over the phone.

What is this tool?  It is a piece of client side javascript (so you can download the web page, unplug your computer from the network, and still use it), that generates long and strong PSK's that rotate every 24 hours at GMT 00:00.  You can then make your output strong by typing in two extra source keys that you can agree over on the phone, or any other insecure method.

So I can call you, and tell you to pick a colour, put it into "Key 1", and tell me what it is.  I enter the same key into "Key 1".  I then pick a colour and put it into "key 2", tell you, and you also enter it into "key 2".  You now click the "Generate" button, and both your machine and mine will calculate (the same) 24 character PSK.  You can then copy and paste this into your config.

If you wait 24 hours and repeat you will get a different PSK.

So you now have an easy way to generate a long and strong PSK that is never transmitted - ever.

2 Replies 2


Any key you generate by this method will only be as strong as the source keys, so this is just a complicated way to weaken the PSK.

I don't agree.  You start with no PSK - so for a start anything beyond that will be stronger - not weaker.

However, I do invite you to produce something better that also solves the problem of creating a PSK without exchanging any keys in the clear text.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers