Skip to main content

Shared Secret

Summary

Shared Secret is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely.

note

If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a secret mismatch.

How to configure

Config file keysEnvironment variablesTypeUsage
shared_secretSHARED_SECRETstringrequired
shared_secret_fileSHARED_SECRET_FILEstringrequired
Shared Secret in Enterprise Configurations

If you're connecting to the Enterprise Console, your Pomerium Core and Enterprise configurations each require the same shared secret.

See the Enterprise Quickstart for an example implementation.

Examples

To generate a key, run the following command:

head -c32 /dev/urandom | base64

Add the value to your configuration file:

shared_secret: wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs=
SHARED_SECRET_FILE='/run/secrets/POMERIUM_SHARED_SECRET'