# Shared Secret

## Summary

**Shared Secret** is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely.

If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a [**secret mismatch**](https://www.pomerium.com/docs/internals/troubleshooting.md).

## How to configure

**Core:**

| **Config file keys** | **Environment variables** | **Type** | **Usage** |
| :-- | :-- | :-- | :-- |
| `shared_secret` | `SHARED_SECRET` | `string` | **required** (unless `shared_secret_file` is set) |
| `shared_secret_file` | `SHARED_SECRET_FILE` | `string` | **required** (unless `shared_secret` is set) |

If you're connecting to the [Enterprise Console](https://www.pomerium.com/docs/deploy/enterprise.md), your Pomerium Core and Enterprise configurations each require the same shared secret.

See the [Enterprise Quickstart](https://www.pomerium.com/docs/deploy/enterprise/quickstart.md) for an example implementation.

### Examples

To generate a key, run the following command:

```shell
head -c32 /dev/urandom | base64
```

Add the value to your configuration file:

```yaml
shared_secret: wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs=
```

```bash
SHARED_SECRET_FILE='/run/secrets/POMERIUM_SHARED_SECRET'
```

**Enterprise:**

`shared_secret` is a bootstrap configuration setting and is not configurable in the Console.

**Kubernetes:**

| **Name**                | **Type** | **Usage**    |
| :---------------------- | :------- | :----------- |
| `secrets.shared_secret` | `string` | **required** |

See Kubernetes [bootstrap secrets](https://www.pomerium.com/docs/deploy/k8s/reference.md#spec) for more information.
