One can use pass
as a password manager to store passwords.
One thing that is not clear from the manual is whether it is possible to easily change the gpg key that is used. One initializes the password store with a gpg key, but I am wondering what to do if the key for instance gets outdated.
Is there a convenient way to decrypt and re-encrypt all passwords stored in the password manager with another key?
Best Answer
Use
pass init [-p path] <gpg-id>
where<gpg-id>
specifies the new gpg key with which you want to encrypt your passwords. According to thepass
man page,This seems to work at least in
pass 1.6.5
. Please note that you will need access to the old gpg private key in order to decrypt and then reencrypt your passwords.Caveat 1
If any of your
pass
directories don't reencrypt with the new key, it may be that it has a.gpg-id
file that overrides any gpg-id specified at the top level of thepassword-store
directory. I won't cover how to solve this problem in this question since it would be probably a little too tangential, but I will say that thepass
man page does a pretty good job of explaining it.Caveat 2
If your
~/.password-store
directory is a git repo (ie, you at one time ranpass git init
) then please note that the old encryption will remain in the git repo's commit history; if your concern is about a potentially compromised gpg key then you should take whatever steps are necessary to git rid of that git history.