You are not logged in.

#1 2024-04-01 00:18:59

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,148

How to configure pass to use different encryption key for same gpg id?

I'm using pass to manage a local, git-enabled password store. A few months ago, I allowed an existing encryption GPG key to expire (I believe this is a sub-key) and generated a new one in order to use rsa4096 rather than rsa2048.

gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  XXXXXXXXXXXXXXXXXXXXXXXX
created: 2004-03-07  expires: 2024-11-11  usage: SC
trust: ultimate      validity: ultimate
ssb  elg1024/xxxxxxxxxxxxxxxx
created: 2004-03-07  expired: 2017-10-26  usage: E
ssb  rsa2048/xxxxxxxxxxxxxxxx
created: 2017-10-25  expired: 2021-11-01  usage: S
ssb  rsa2048/xxxxxxxxxxxxxxxx
created: 2017-10-25  expired: 2017-10-26  usage: S
ssb  rsa2048/xxxxxxxxxxxxxxxx
created: 2017-10-25  expired: 2023-11-13  usage: E
ssb  rsa4096/xxxxxxxxxxxxxxxx
created: 2023-11-12  expires: 2024-11-11  usage: E
[ultimate] (1). Dr. First M. Last (Philosophy, XXXXX, Some University) <LastF00@some.ac.uk>
[ultimate] (2)  Dr. First M. Last <firstflast@gmail.com>
[ revoked] (3)  Dr. First M. Last <fmlast@somemail.org>
[ revoked] (4)  Dr. First M. Last <last@somemail.com>
[ revoked] (5)  Dr. First M. Last <f.m.last@xxx.edu>
[ revoked] (6)  Dr. First M. Last (YYYYY, Some University) <LastF11@some.ac.uk>
[ultimate] (7)  Dr. First M. Last (XXX, Some University) <LastF00@some.ac.uk>
[ultimate] (8)  Dr. First M. Last (fml) <lastfm@gmail.com>

However, when I use pass to edit an entry at the command line I am warned that the old encryption key expired.

pass edit web/lists.archlinux.org
gpg: Note: secret key AAAAAAAAAAAAAAAA expired at Dydd Llun 13 mis Tachwedd 2023 20:52:14 GMT
[master a018fd7] Edit password for web/lists.archlinux.org using /usr/bin/vim.
1 file changed, 0 insertions(+), 0 deletions(-)

Reading the documentation, I understand that I could reencrypt the database by using

pass --init <new-gpg-id>

but my GPG id hasn't altered --- all I've done is added new sub-keys --- and I cannot figure out how to safely update the database or, at least, tell pass to just use the new encryption sub-key when necessary.

Am I managing my GPG key incorrectly? What's the best way to manage the password store when GPG encryption keys need to be updated?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Board footer

Powered by FluxBB