wpa_passphrase

Compute and display the WPA-PSK key for a given SSID reading the passphrase from stdin

Compute and display WPA-PSK key for a given SSID specifying the passphrase as an argument

wpa_passphrase <SSID> [passphrase]

SSID
    The Service Set Identifier (network name) of the Wi-Fi network for which the PSK is to be generated.

passphrase
    The ASCII passphrase for the Wi-Fi network. This passphrase must be between 8 and 63 characters long. If omitted, the command will read the passphrase from standard input, which is generally safer for security reasons.

wpa_passphrase is a command-line utility that generates a 256-bit (64-character hexadecimal) WPA Pre-Shared Key (PSK) from a given network SSID (Service Set Identifier) and a human-readable passphrase. This PSK is essential for configuring WPA-Personal (WPA-PSK) or WPA2-Personal (WPA2-PSK) security for Wi-Fi networks.

The generated PSK is derived using the PBKDF2 (Password-Based Key Derivation Function 2) algorithm, as specified in IEEE 802.11i, ensuring a strong, non-reversible key. Rather than storing the plaintext passphrase directly in configuration files like wpa_supplicant.conf, it is highly recommended to use the generated PSK, enhancing security by preventing easy exposure of the network password.

This utility is an integral part of the wpa_supplicant suite, simplifying the process of setting up secure wireless connections by providing the necessary cryptographic material in the correct format.

Security Concerns: Providing the passphrase directly on the command line (e.g., wpa_passphrase MyWiFi mysecretpassword) can be a security risk. The passphrase may be visible to other users via the process list (ps command) and stored in shell history files. It is highly recommended to omit the passphrase from the command line and pipe it from another command (e.g., echo "mysecretpassword" | wpa_passphrase MyWiFi).

PSK Length: The generated PSK is always a 64-character hexadecimal string, representing 256 bits. This is the standard length for WPA/WPA2-PSK.

Purpose Specific: This command is specifically for generating PSKs for WPA-Personal and WPA2-Personal networks. It does not handle WPA-Enterprise (802.1X) or the newer WPA3-SAE mechanisms.

To generate a PSK for a network named "MyHomeWiFi" with the passphrase "SuperSecret123", you would typically run:

$ wpa_passphrase MyHomeWiFi SuperSecret123

For better security, especially to avoid the passphrase appearing in shell history or process lists, you can omit it and pipe it from standard input:

$ echo "SuperSecret123" | wpa_passphrase MyHomeWiFi

The output would look similar to:

network={
\tssid="MyHomeWiFi"
\t#psk="SuperSecret123"
\tpsk=d41d8cd98f00b204e9800998ecf8427e
}

The line starting with psk= contains the generated 64-character hexadecimal key.

The output format of wpa_passphrase is specifically designed to be directly usable within the wpa_supplicant.conf configuration file. You can copy the entire network={} block from its output into your configuration file, ensuring proper network setup with the securely generated PSK.

wpa_passphrase is an integral part of the wpa_supplicant project, which was developed by Jouni Malinen. It emerged during the early 2000s as Wi-Fi security transitioned from the vulnerable WEP to the more robust WPA and subsequently WPA2 standards. Its development was crucial in providing a reliable and secure method for generating the necessary cryptographic keys for WPA/WPA2-Personal networks, becoming a cornerstone utility for Linux-based Wi-Fi configurations.

wpa_supplicant(8), wpa_cli(8), wpa_gui(8), iwconfig(8), ip(8)