35

One can use pass as a password manager to store passwords.

One thing that is not clear from the manual is whether it is possible to easily change the gpg key that is used. One initializes the password store with a gpg key, but I am wondering what to do if the key for instance gets outdated.

Is there a convenient way to decrypt and re-encrypt all passwords stored in the password manager with another key?

Willem Van Onsem
  • 618
  • 1
  • 8
  • 18

1 Answers1

44

Use pass init [-p path] <gpg-id> where <gpg-id> specifies the new gpg key with which you want to encrypt your passwords. According to the pass man page,

If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id.

This seems to work at least in pass 1.6.5. Please note that you will need access to the old gpg private key in order to decrypt and then reencrypt your passwords.

Caveat 1

If any of your pass directories don't reencrypt with the new key, it may be that it has a .gpg-id file that overrides any gpg-id specified at the top level of the password-store directory. I won't cover how to solve this problem in this question since it would be probably a little too tangential, but I will say that the pass man page does a pretty good job of explaining it.

Caveat 2

If your ~/.password-store directory is a git repo (ie, you at one time ran pass git init) then please note that the old encryption will remain in the git repo's commit history; if your concern is about a potentially compromised gpg key then you should take whatever steps are necessary to git rid of that git history.

Wayne Warren
  • 556
  • 5
  • 5
  • For viewers of this topic -- please don't do as @maxschlepzig suggests -- it may irretrievably delete all your passwords for good (assuming you don't back them up to a git remote). – Wayne Warren Sep 03 '21 at 11:35
  • Well, either you want to get rid of your password history (e.g. after your old key was compromised) or you don't. If you don't then don't rm the git directory. And of course, always have a working backup available. – maxschlepzig Sep 03 '21 at 12:12
  • What if you don't have the password for the old gpg private key? – Jake Stevens-Haas Dec 09 '22 at 04:25
  • @JakeStevens-Haas that is beyond my ken, other than to point out that the main advantage of using an encrypted password store like this is to prevent people without the gpg private key password from accessing all the other passwords. – Wayne Warren Dec 10 '22 at 06:49