Shared Secret
Summary
Shared Secret is the base64-encoded, 256-bit key used to mutually authenticate requests between services. It's critical that secret keys are random, and stored safely.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Usage |
---|---|---|---|
shared_secret | SHARED_SECRET | string | required (unless using shared_secret_file) |
shared_secret
is a bootstrap configuration setting and is not configurable in the Console.
Name | Type | Usage |
---|---|---|
secrets.shared_secret | string | required (unless using shared_secret_file) |
See Kubernetes bootstrap secrets for more information.
Pomerium Core configurations do not require a shared_secret
or shared_secret_file
. You only need to include a shared secret if you are running the Console.
If you are connecting to the Console, your Pomerium Core and Console configurations require the same shared secret.
See the Enterprise Quickstart for an example implementation.
Examples
To generate a key, run the following command:
head -c32 /dev/urandom | base64
Add the value to your configuration file:
# config file key
shared_secret: wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs=
# environment variable
SHARED_SECRET=wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs=