change pass key

posted: 2025-10-12

I use Pass as my password manager.

As you may have read in my last post I'm in the process of upgrading my gpg keys from RSA to ECC. When it came to re-configuring pass to work with my new encryption key was was plesently suprized how easy it was.

Pass stores passwords one password per file by default at `~/.password-store`.

In that dir there is a `.gpg-id` which tells pass which gpg key to use to encrypt the passwords. The tick is it supports encrypting the passwords with mutiple keys, one per line. So a key migraion is pretty easy. Simply add the new key below the first and re-init.

$ pass init $(cat .gpg-id)
Password store initialized for xxxxxxxxxxxxxxxxxxx yyyyyy
[master e4e875a] Set GPG id to xxxxxxxxxxxxxxxxxxx yyyyyy.
 1 file changed, 1 insertion(+), 2 deletions(-)
personal/cooking-db-site: reencrypting to xxxxxxxxxxxxxxxx yyyyyy
personal/peer-tube-user: reencrypting to xxxxxxxxxxxxxxxx yyyyyy
personal/etsy: reencrypting to xxxxxxxxxxxxxxxx yyyyyy
personal/roastmarket: reencrypting to xxxxxxxxxxxxxxxx yyyyyy
personal/github: reencrypting to xxxxxxxxxxxxxxxx yyyyyy
...

Now the passwords are encrypted with both keys. After backing up your pass dir, via git push for example, you remove the old key from `.gpg-id` and rerun `pass init`.

$ pass init $(cat .gpg-id)
Password store initialized for xxxxxxxxxxxxxxxxxxx
[master e4e875a] Set GPG id to xxxxxxxxxxxxxxxxxxx .
 1 file changed, 1 insertion(+), 2 deletions(-)
personal/cooking-db-site: reencrypting to xxxxxxxxxxxxxxxx 
personal/peer-tube-user: reencrypting to xxxxxxxxxxxxxxxx 
personal/etsy: reencrypting to xxxxxxxxxxxxxxxx 
personal/roastmarket: reencrypting to xxxxxxxxxxxxxxxx 
personal/github: reencrypting to xxxxxxxxxxxxxxxx 
...

Done! Migrated from pass from one key to another.

Nav