Rotate Pritunl Api Keys in Database Directly

Thursday, Jul 10, 2025 | 3 minute read | Updated at Thursday, Jul 10, 2025

Doug Munsinger

Rotate Pritunl token and secret directly in mongodb…

Secrets

Pritunl API token autnetication checkbox and the token and secret are visible after installing the Enterprise key for Pritunl and restarting the service. But it looks like the underlying auth IS present, att least when I queried the administrators collection, I found the fields auth_api, token and secret present. I did not test full functionality before installing the Enterprise key, but I have a note to do that before installing the Enterprise key on the next iteration of testing.

Here’s how to access and manipulate these keys directly in the mongodb

Install mongosh

To install mongosh (the MongoDB Shell) on Ubuntu 22.04 (Jammy)

1. Import MongoDB’s public GPG key

1
2

curl -fsSL https://pgp.mongodb.com/server-6.0.asc | \
  sudo gpg -o /usr/share/keyrings/mongodb-server-6.0.gpg --dearmor

This is MongoDB’s GPG key used for verifying packages.

2. Add the MongoDB repo to APT sources

1
2

echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | \
  sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list > /dev/null

3. Update package lists

1

sudo apt update

4. Install mongosh

1

sudo apt install -y mongodb-mongosh

5. ✅ Test it

1

mongosh --version

Login to Mongodb

1

mongosh "mongodb+srv://<username>:<password>@<cluster-url>/pritunl"

Enable API Auth

To enable API authentication for a Pritunl administrator in mongosh, you need to set the auth_api field to true in the administrators collection.

1. Connect to your Pritunl database:

1

mongosh "mongodb+srv://<username>:<password>@<cluster-url>/pritunl"

Or locally:

1

mongosh

Then:

1

use pritunl

2. Find the admin users:

1

db.administrators.find({}, { username: 1, auth_api: 1 }).pretty()

This shows you all usernames and whether auth_api is enabled.

3. Enable auth_api for a specific user:

Replace "user_name" with your actual username:

1
2
3
4

db.administrators.updateOne(
  { username: "user_name" },
  { $set: { auth_api: true } }
)

4. Confirm the change:

1

db.administrators.find({ username: "user_name" }, { auth_api: 1 }).pretty()

You should see:

1
2
3

{
  "auth_api" : true
}

Rotate Token and Secret

To rotate the token and secret for an administrator in Pritunl via mongosh, you’ll directly update the fields in the administrators collection.

Generate new token and secret values

Use your terminal to generate secure values:

32-character:

1

head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32

64-character:

1

head /dev/urandom | tr -dc A-Za-z0-9 | head -c 64

Update the admin in MongoDB

Substitute the values into the command below:

1
2
3
4
5
6
7
8
9

db.administrators.updateOne(
  { username: "user_name" },
  {
    $set: {
      token: "NEW32CHARACTERTOKEN",
      secret: "NEW64CHARACTERSECRET"
    }
  }
)

Confirm the update

1

db.administrators.find({ username: "user_name" }, { token: 1, secret: 1 }).pretty()

⚠️ Notes

  • The new token and secret are effective immediately — update Terraform or any automation that uses them.
  • Be sure to keep the auth_api field as true:

—doug

© 2025 by Doug Munsinger

About Me

About Cover

I build tools. I write scripts, plugins, compiled Go code binaries, terraform .tf files, APIs, hacks (a lot of these…). Glue that makes automation happen by connecting together open source projects like terraform, ansible packer, Jenkins, Docker, Kubernetes, Github and so on.

I do a lot of note taking and documentation. Mostly this is to let me pick back up where I left off on code or infrastructure when it has issues or needs to be upgraded or replaced a year or two down the road. Some of those notes & docs might be useful to someone other than myself. If that might be the case, they go here.

intuitive engineering describes taking physical structure and system design out of the lego or erector set viewpoint — where you piece things together one-by-one — and into an understanding of the art of engineering.

Watch really complex systems, say a network, for awhile and you find unexpected interactions become normal as complexity increases. The same is true for CICD systems and Devops/Infrastructure Engineering tools. There are gremlins in the dark corners.

Totems:

  • Avoid wherever possible, complexity, and where you find complexity, work toward a simpler design as a goal.
  • The elegant, aesthetically pleasing solution is also in most cases the least effort and personnel to support in the long run.
  • Expect and deal with missteps as they show up – complex designs can present opportunities as you work through them that are NOT visible at the start of the project. This is true in building construction. It is also true in network and system design, in software design.
  • Make that discovery part of the process, take advantage of those simplified and elegant changes as they present themselves.
  • Look for the consequences several steps ahead for each decision.
    • How locked into a design does it make you?
    • Can you live with that?
    • Is there a less restrictive/simpler/better/more elegant decision in design that can be made that doesn’t block off avenues?
    • Can you solve a problem once and reuse that solution?
    • Is there a modular or plugin design that would keep a flexibility?
  • Use open source tooling where that is practical.
  • Use best of breed. Build the interconnections and tooling passing from one system to another.
  • Customize as little as possible. Write bespoke code as little as possible.

I live in the Northeast and I am currently employed by Toast, Inc., as a Staff Devops/Infrastructure/Cloud Engineer (the titles keep changing).

—doug

Toolbelt

Toolbelt Image

I was a cabinetmaker and finish carpenter in Los Angeles for 17 years before working as a UNIX Systems Administrator.

I used an IBM 386 clone desktop with a green monochrome terminal monitor and a dot matrix printer to manage contracts, correspondence, and write promotional letters to prospective clients. I kept diving under the hood to tweak and optimize the system, adding a whopping 1 MB RAM and editing himem.sys in DOS to get it used.

The clone had a 20 MB hard drive. It backed up onto 5-1/2" floppy disks. It needed to be physically reformatted and rebuilt from backups about every six months. More often as it aged.

I fell in love with the command line, and only reluctantly installed Windows 3.1 when an application, I think it was a dog-slow CAD program, required it.

From there I went to an x86 Linux machine, back when Linux was a university play toy and no one expected it to become a serious operating system, except a few of us. From there, Solaris and Sun machines, IBM mainframes and IRIS, and eventually back to Linux, Ubuntu, Gentoo, Debian, Redhat, Amazonlinux.

I completed a UNIX & Systems Admin course, a one year certificate program at WPI that could be done in 8 weeks full time if you were committed to learning. I was.

From that point I’ve been employed as a systems administrator, firewall engineer (Fidelity Investments), network engineer (Egenera), hardware support engineer (Crossbeam Systems), devops engineer (the title most used since), and recently cloud and infrastructure engineer (Toast).

It used to be I actually saw physical hardware. At this point, it’s been maybe 7 years since I’ve been in a datacenter.

I still love the command line…

Command Line

License

MIT License

This covers any and all code snippets I’ve authored and included here.

MIT License Logo

© 2025 by Doug Munsinger

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Good luck  ;^)

Images

All images are excluded and are “All rights reserved.”

They are not licensed for reuse or redistribution unless explicitly stated.