Shared Secret
Summary
Shared Secret is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely.
note
If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a secret mismatch.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage |
|---|---|---|---|
shared_secret | SHARED_SECRET | string | required (unless shared_secret_file is set) |
shared_secret_file | SHARED_SECRET_FILE | string | required (unless shared_secret is set) |
Shared Secret in Enterprise Configurations
If you're connecting to the Enterprise Console, your Pomerium Core and Enterprise configurations each require the same shared secret.
See the Enterprise Quickstart for an example implementation.
Examples
To generate a key, run the following command:
head -c32 /dev/urandom | base64
Add the value to your configuration file:
shared_secret: wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs=
SHARED_SECRET_FILE='/run/secrets/POMERIUM_SHARED_SECRET'
shared_secret is a bootstrap configuration setting and is not configurable in the Console.
| Name | Type | Usage |
|---|---|---|
secrets.shared_secret | string | required |
See Kubernetes bootstrap secrets for more information.