It's been five years since I created my Unix password store, encypted with my GPG key pair
password-store. That key expired and now I need to update my database to a new master key.
Now is also a good time to clear out the git history. My key has not (to my knowledge) been compromised, so I don't need to remove all instances of passwords encrypted with the old key, but it will be nice to clear out the old history.
Here are the steps I performed to generate a new key pair and reencrypt the password store with it.
Generate a new key
I created a new key without an expiry date. This is maybe controversial, but I don't intend to share the key with anyone, so I feel it's better to not have to do this again unless the key is compromised.
To do this, I ran:
0 to Please specfy how long the key should be valid. This means it does not expire at all.
It's necessary to give the new key a different name to the old one, so that I can have both of them on my key chain together when reencrypting. I went with
passwords-master as as the "real name".
Following generating new key, I saved it and shared it to my other devices as explained in 2018.
Reencrypt password store
I followed these steps to remove history and reencrypt.
- Remove the current
Shallow clone from GitLab:
git clone --depth 1 email@example.com:milohax/pass.git .password-store
Reencrypt by specifying the new
pass init passwords-master
This prompts for the old key's passphrase to decrypt. It will note the key ID of the key it's reencrypting with.
Verify by decripting a password. This will prompt for the passphrase of the new key
Force-push to GitLab:
pass git push --force origin master
Update on other machines
Each other machine needs to do a fresh pull, and import the new key onto the device's key chain. This was spelled out in the earlier post, but here are the high-level steps and commands.
Export the public key:
gpg --export --armour passwords-master > passwords-master.sec.asc
Then, append the private key:
gpg --export-secret-keys --armour passwords-master >> passwords-master.sec.asc
Don't forget to encrypt the ASCII file with the device key if you're sending by email:
gpg --trust-model always -e -r milo-nokia6.1 passwords-master.sec.asc
Then send the
.gpgfile, not the
With the new key on the keychain, and the updated password-store, you can now view a password entering the new key's passphrase.