Replacing GPG private keys

  1. life
  2. privacy

Keybase is acquired by Zoom on May 7, 2020.

Although I don’t have any evidence why Zoom is not trustworthy, I just don’t. I deleted my account immediately after I saw the news. Since my private keys are all generated by keybase cli and have been synced with it, so I think it’s a good idea to replace them as well.

I currently only use gpg key with pass, git commit sign, an .authinfo.gpg file used by emacs, and a .mailpass.gpg file used by mbsync.

Generate new keys.

This is pretty straightforward, just run gpg --full-gen-key and follow the instructions, I’m using RSA and RSA with 4096 bits keysize and no expire options.

Do this twice to generate two keys, one for personal use, and one for sign git commits for work.

Find out the <new-key-id> with gpg --list-secret-keys.

Re-encrypt the password store.

First check for .gpg-id file in the password store directory, if it exists, it should contain the old gpg key-id, just remove it. The just run a pass init with newly generated key to re-encrypt all password files in it.

cd .password-store
rm .gpg-id
pass init <new-key-id>

references: pgp - How to change the gpg key of the pass password store - Ask Ubuntu

Change git commit signing key.

I have multiple git config with gitdir: config, just update all .gitconfig files, replacing the old key id with the new one. If only one git config is used, it can also be changed in terminal.

git config user.signingkey <new-key-id>

Get a public key export by running

gpg --export --armor <new-key-id> | pbcopy

pbcopy is a wrapper I use for save stdout to clipboard.

if [[ $(uname) == "Darwin" ]]; then
    xclip -i -sel c -f |xclip -i -sel p

Then go to GitHub/GitLab or any other service needed, add the new pubkey and remove the old key from GPG Key Settings.

Other files encrypted with gpg.

Just do a decrypt and encrypt.

gpg --decrypt -o authinfo.txt .authinfo.gpg
gpg --encrypt -o .authinfo.gpg --default-key <new-key-id> authinfo.txt
rm authinfo.txt

gpg --decrypt -o mailpass.txt .mailpass.gpg
gpg --encrypt -o .mailpass.gpg --default-key <new-key-id> mailpass.txt
rm mailpass.txt

Remove the old gpg key.

Backup keys in case of something missing from the above steps.

gpg --export --armor <old-key-id> > old_pubkey.asc
gpg --export-secret-keys --armor <old-key-id> > old_privkey.asc
gpg --delete-secret-and-public-key <old-key-id>

There will be a lot of popups, just hit delete 🙂️.


It’s quite easy I’d say, definitely easier than replacing an Email address or phone number. Be safe.