Replacing GPG private keys

This is pretty straightforward, just run gpg --full-gen-key and follow the instructions, I’m using RSA and RSA with 4096 bits keysize and no expire options.

Do this twice to generate two keys, one for personal use, and one for sign git commits for work.

Find out the <new-key-id> with gpg --list-secret-keys.

First check for .gpg-id file in the password store directory, if it exists, it should contain the old gpg key-id, just remove it. The just run a pass init with newly generated key to re-encrypt all password files in it.

cd .password-store
rm .gpg-id
pass init <new-key-id>

references: pgp - How to change the gpg key of the pass password store - Ask Ubuntu

I have multiple git config with gitdir: config, just update all .gitconfig files, replacing the old key id with the new one. If only one git config is used, it can also be changed in terminal.

git config user.signingkey <new-key-id>

Get a public key export by running

gpg --export --armor <new-key-id> | pbcopy

pbcopy is a wrapper I use for save stdout to clipboard.

#!/bin/bash
if [[ $(uname) == "Darwin" ]]; then
    /usr/bin/pbcopy
else
    xclip -i -sel c -f |xclip -i -sel p
fi

Then go to GitHub/GitLab or any other service needed, add the new pubkey and remove the old key from GPG Key Settings.

Just do a decrypt and encrypt.

gpg --decrypt -o authinfo.txt .authinfo.gpg
gpg --encrypt -o .authinfo.gpg --default-key <new-key-id> authinfo.txt
rm authinfo.txt

gpg --decrypt -o mailpass.txt .mailpass.gpg
gpg --encrypt -o .mailpass.gpg --default-key <new-key-id> mailpass.txt
rm mailpass.txt

Backup keys in case of something missing from the above steps.

gpg --export --armor <old-key-id> > old_pubkey.asc
gpg --export-secret-keys --armor <old-key-id> > old_privkey.asc
gpg --delete-secret-and-public-key <old-key-id>

There will be a lot of popups, just hit delete 🙂️.

It’s quite easy I’d say, definitely easier than replacing an Email address or phone number. Be safe.