How to change the gpg key of the pass password store

password pgp

Use pass init [-p path] <gpg-id> where <gpg-id> specifies the new gpg key with which you want to encrypt your passwords. According to the pass man page,

If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id.

This seems to work at least in pass 1.6.5. Please note that you will need access to the old gpg private key in order to decrypt and then reencrypt your passwords.

Caveat 1

If any of your pass directories don't reencrypt with the new key, it may be that it has a .gpg-id file that overrides any gpg-id specified at the top level of the password-store directory. I won't cover how to solve this problem in this question since it would be probably a little too tangential, but I will say that the pass man page does a pretty good job of explaining it.

Caveat 2

If your ~/.password-store directory is a git repo (ie, you at one time ran pass git init) then please note that the old encryption will remain in the git repo's commit history; if your concern is about a potentially compromised gpg key then you should take whatever steps are necessary to git rid of that git history.

Related

What are some good GUI binary viewers/editors?
What is the correct way to share directories with Ubuntu running in a Virtual Box VM with correct permissions?
How can I remove modem-manager from boot?
How to open Gparted terminal?
Where are my browser passwords stored?
How to avoid horizontal scrolling in "systemctl status"?
How do I set the screen timeout?
How do I enable font anti-aliasing in Wine?
Switch encoding of terminal with a command
Open file dialog defaults to showing hidden files
OpenJDK - Oracle is better? [closed]
Suspend command in Ubuntu 16.04