If you suspect your master password has been compromised, you should change all your passwords. At that point, you essentially are creating a new password store from scratch.
On December 14, 2015 11:22:41 AM GMT+11:00, [email protected] wrote: >Hello, > >On 2015-12-06 23:34, Lucas Hoffmann wrote: >> The man page says you should use "pass init [-p subfolder] newid". >Or >> do you need some info that is not in the man page? > >On 2015-12-07 12:22, Martijn van Dijk wrote: >> I just did this, you can run pass init <key ID 1> <key ID 2> and it >> will >> re-encrypt all the stored passwords with both key 1 and 2. You can >> probably use this to remove the old key too. > >My bad, I should have RTFM more carefully (I only greped "rotation"). >That's exactly what I was looking for. > >Thank you. > >On 2015-12-06 23:37, Emil Lundberg wrote: >> I'd like to provide a friendly reminder that if you do that, make >sure >> to >> also (securely) delete all copies of your password store encrypted >with >> the >> old key(s) as they can still be decrypted with the old key(s). This >> includes old commits if you use git to version your repository, as >well >> as >> any backups you may have. >> >> I'm not saying rotating keys is a bad idea, just that this is >something >> you >> need to keep in mind if you do. > >Of course. > >On 2015-12-07 08:32, Mike Charlton wrote: >> On 7 December 2015 at 08:37, Emil Lundberg <[email protected]> >> wrote: >>> I'm not saying rotating keys is a bad idea, just that this is >>> something >>> you need to keep in mind if you do. >> >> I'm not sure why it would be considered a good idea. Unless I'm >> missing >> something the reason for rotating your password is to ensure that if >> someone has gotten access to it somehow, they have limited time to >make >> use >> of it. Since your old key is still active, that argument doesn't >> apply. >> It just makes key management more difficult. Unless you export >> everything >> out and re-encrypt it, I would say that rotating keys *is* a bad >idea. > >Because at some point, you might want/need to change key: because you >believe it could have been compromised (and therefore want to >re-encrypt >your password-store and get rid of the version encrypted with the >potentially compromised key asap) ; because you want to use stronger >crypto (generate a new – longer – key, switch to ECC,...), … There are >tens of reasons I can think of that would require key rotation. >_______________________________________________ >Password-Store mailing list >[email protected] >http://lists.zx2c4.com/mailman/listinfo/password-store
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
