Ubuntu – How to change the gpg key of the pass password store

passwordpgp

One can use pass as a password manager to store passwords.

One thing that is not clear from the manual is whether it is possible to easily change the gpg key that is used. One initializes the password store with a gpg key, but I am wondering what to do if the key for instance gets outdated.

Is there a convenient way to decrypt and re-encrypt all passwords stored in the password manager with another key?

Best Answer

Use pass init [-p path] <gpg-id> where <gpg-id> specifies the new gpg key with which you want to encrypt your passwords. According to the pass man page,

If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id.

This seems to work at least in pass 1.6.5. Please note that you will need access to the old gpg private key in order to decrypt and then reencrypt your passwords.

Caveat 1

If any of your pass directories don't reencrypt with the new key, it may be that it has a .gpg-id file that overrides any gpg-id specified at the top level of the password-store directory. I won't cover how to solve this problem in this question since it would be probably a little too tangential, but I will say that the pass man page does a pretty good job of explaining it.

Caveat 2

If your ~/.password-store directory is a git repo (ie, you at one time ran pass git init) then please note that the old encryption will remain in the git repo's commit history; if your concern is about a potentially compromised gpg key then you should take whatever steps are necessary to git rid of that git history.

Related Question