How to create and share a secure VPN passphrase or password

Case

You need to generate a strong passphrase to use in securing an Internet facing service. A common example of this is when you need to generate an IKEv2 passphrase for your site-to-site VPN connection, as shown in the following example in which we are creating a new VPN connection inside an Azure VPN gateway resource.

Solution

Generating a strong passphrase is a highly recommended thing to do when creating VPN connections. A very handy free PSK key generator is available at: https://pskgen.com/.

As per the developer of the pskgen website, there is a handy procedure to use to securely generate and share the PSK passphrase. You and the person you will be sharing the PSK passphrase with will use two separate passwords to create a unique 64-byte shared secret with the help of a cryptographic hash generator. Regardless of the length of each password, the generated Shared Secret will always be 64 bytes. Follow the procedure below:

  1. Create a list of at least 10 randomly generated passwords. These passwords should be at least 64 characters long. Email the password list to your VPN partner, but do NOT include these instructions, the website address, or anything else in the email that reveals the process that is about to be used.
  2. Over the phone, provide your VPN partner this website address and have them pick one of the passwords from the list you emailed to them. Both of you will copy and paste the selected password to the Password 1 box.
  3. Give your VPN partner a simple shorter password. I suggest a 16-digit numeric string as this would be easy to share over the phone with a reduced chance of mistakes. Both of you will enter this shorter password in the Password 2 box.
  4. Both of you will click the Generate button. Verify the first and last 2 or 3 bytes over the phone to ensure you’ve created the same Shared Secret.
  5. Copy and paste the Shared Secret (PSK passphrase) to your VPN configuration.

Note that you can use the same process as above for creating and sharing a strong password.

Was this article helpful?

Related Articles