How to generate a pre shared key using APG
A common requirement is to generate a random, unique and secure pre-shared key, typically for use in VPN’s. The Linux tool, APG (Automated Password Generator), is a great tool for this job, but you need to specify a few options to get the correct output.
If you just run ‘apg’, you get output that is designed to be read over the phone. This is not what we would consider secure. Here is my suggested command:
apg -a 1 -m 16 -n 1 -c /dev/random
What does each option do?
-a 1
This disables the ‘pronounceable’ password generation option, making password unpronounceable over the phone, and thus more random.
-m 16
This sets the length of the output to 16 characters. Feel free to substitute ’16’ with your own minimum requirement, just make sure that you make it larger than the default of 6.
-n 1
This produces only 1 password. If you need say 4 passwords, use -n 4. The default is 6.
-c /dev/random
By default, APG asks you to enter random data, which it will use as the seed for its PRNG. By using this option, we provide truly random data as the seed. Note that if your OS is low on entropy, using this option may take longer than usual.
If you want to avoid using symbols that might cause issues with input validation, try this command instead:
apg -a 1 -m 22 -n 1 -c /dev/random -M NCL
This will force the use of upper case, lower case and numbers, but no symbols. The number of characters has also been increased to 22, due to the lower entropy due the reduced character set.
Leave a Reply