I'm trying to encrypt my files before I do some very important business internationally, but in the process I lost the encryption of my password store with pass and the ability to lock LibreOffice documents with GPG. I had GPG in place, but following this very good link very late at night I messed up my existing system's encryption. I can make encrypted documents, but they do not prompt me for the password. My password store is only encrypted for the "trial" passwords I input with each new GnuPG key, but now I can't re-encrypt the store as a whole because there are several entries with a different passphrase, becoming trial-and-error at best to match.
Below is the painstakingly anonymized transcript of my terminal during that late night session:
Below is the painstakingly anonymized transcript of my terminal during that late night session:
Bash:
[user@archlinux ~]$ diceware
Pass1
[user@archlinux ~]$ diceware
Pass2
[user@archlinux ~]$ man pass
[user@archlinux ~]$ diceware
Pass3
[user@archlinux ~]$ diceware
Pass4
[user@archlinux ~]$ man pass
[user@archlinux ~]$
[user@archlinux ~]$ gpg --full-generate-key
gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute i
t.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Mon 21 Apr 2025 05:06:31 PM PDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: First Last
Email address: [email protected]
Comment: Not old one
You selected this USER-ID:
"First Last(Not old one) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to
perform
some other action (type on the keyboard, move the mouse, utilize
the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to
perform
some other action (type on the keyboard, move the mouse, utilize
the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/user/.gnupg/openp
gp-revocs.d/key4.rev'
public and secret key created and signed.
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
key4
uid First Last(Not old one) <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
[user@archlinux ~]$ gpg --list-key [email protected]
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0
f, 4u
gpg: next trustdb check due at 2025-04-12
pub rsa4096 2023-04-13 [SC] [expires: 2025-04-12]
key2
uid [ultimate] First Last<[email protected]>
sub rsa4096 2023-04-13 [E] [expires: 2025-04-12]
pub rsa4096 2023-04-22 [SC] [expires: 2025-04-21]
key3
uid [ultimate] First Last(emailkey) <[email protected]>
sub rsa4096 2023-04-22 [E] [expires: 2025-04-21]
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
key4
uid [ultimate] First Last(Not old one) <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
[user@archlinux ~]$ gpg --send-key key4
gpg: sending key key4short to hkps://keyserver.ubuntu.com
[user@archlinux ~]$ gpg --export-secret-keys -a key4 > my_secret_key.asc
[user@archlinux ~]$ gpg --export -a key4 > my_public_key.asc
[user@archlinux ~]$ pass fakewebsite.com
fakewebsitepassword
[user@archlinux ~]$ pass wikipdedia.org/Wikiusername
Error: wikipdedia.org/Wikiusername is not in the password store.
[user@archlinux ~]$ pass wikipdedia.org
Error: wikipdedia.org is not in the password store.
[user@archlinux ~]$ pass wikipedia.org/Wikiusername
overusedpassword
[user@archlinux ~]$ gpg2 --list-secret-keys --keyid-format LON
G
/home/user/.gnupg/pubring.kbx
-------------------------------
sec rsa3072/key1short 2022-09-30 [SC]
key1
uid [ultimate] ProtonMail Bridge
ssb rsa3072/ssb1 2022-09-30 [E]
sec rsa4096/key2short 2023-04-13 [SC] [expires: 2025-04
-12]
key2
uid [ultimate] First Last<[email protected]>
ssb rsa4096/ssb2 2023-04-13 [E] [expires: 2025-04-
12]
sec rsa4096/key3short 2023-04-22 [SC] [expires: 2025-04
-21]
key3
uid [ultimate] First Last(emailkey) <[email protected]>
ssb rsa4096/ssb3 2023-04-22 [E] [expires: 2025-04-
21]
sec rsa4096/key4short 2023-04-23 [SC] [expires: 2025-04
-22]
key4
uid [ultimate] First Last(Not old one) <[email protected]>
ssb rsa4096/ssb4 2023-04-23 [E] [expires: 2025-04-
22]
[user@archlinux ~]$ pass
Password Store
├── github.com
│ ├── ssh
│ │ └── fingerprint
│ ├── ssh
│ └── tokenclassic
├── website2.com
├── protonmail-credentials
│ └── protonkeytext
│ └── protonkeytext2
├── thunderbird.my
├── wikipedia.org
│ └── Wikiusername
└── fakewebsite.com
[user@archlinux ~]$ pass github.com
github.com
├── ssh
│ └── fingerprint
├── ssh
└── tokenclassic
[user@archlinux ~]$ pass github.com/ssh
overusedpassword
[user@archlinux ~]$ pass insert website1.com
Enter password for website1.com:
Retype password for website1.com:
[user@archlinux ~]$ pass website1.com
gpg: decryption failed: No secret key
[user@archlinux ~]$ pass website1.com
password
[user@archlinux ~]$ pass thunderbird.my
key3
[user@archlinux ~]$ pass website2.com
website2pass
[user@archlinux ~]$ whereis pass
pass: /usr/bin/pass /usr/share/man/man1/pass.1.gz
[user@archlinux ~]$ pass git push -u --all
Error: the password store is not a git repository. Try "pass git
init".
[user@archlinux ~]$ pass git init
hint: Using 'master' as the name for the initial branch. This de
fault branch name
hint: is subject to change. To configure the initial branch name
to use in all
hint: of your new repositories, which will suppress this warning
, call:
hint:
hint: git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'tru
nk' and
hint: 'development'. The just-created branch can be renamed via
this command:
hint:
hint: git branch -m <name>
Initialized empty Git repository in /home/user/.password-store
/.git/
[master (root-commit) 785311d] Add current contents of password
store.
10 files changed, 5 insertions(+)
create mode 100644 .gpg-id
create mode 100644 github.com/ssh.gpg
create mode 100644 github.com/ssh/fingerprint.gpg
create mode 100644 github.com/tokenclassic.gpg
create mode 100644 website2.com.gpg
create mode 100644 website1.com.gpg
create mode 100644 protonmail-credentials/protonkey.gpg
create mode 100644 thunderbird.my.gpg
create mode 100644 wikipedia.org/Wikiusername.gpg
create mode 100644 fakewebsite.com.gpg
[master 0b85d9b] Configure git repository for gpg file diff.
1 file changed, 1 insertion(+)
create mode 100644 .gitattributes
[user@archlinux ~]$ gpg --full-generate-key
gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute i
t.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Mon 21 Apr 2025 05:32:45 PM PDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: First Middle Last
Email address: [email protected]
Comment: NewEmail
You selected this USER-ID:
"First Middle Last (NewEmail) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to
perform
some other action (type on the keyboard, move the mouse, utilize
the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to
perform
some other action (type on the keyboard, move the mouse, utilize
the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/user/.gnupg/openp
gp-revocs.d/key5.rev'
public and secret key created and signed.
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
key5
uid First Middle Last (NewEmail) <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
[user@archlinux ~]$ gpg --list-key [email protected]
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 5 signed: 0 trust: 0-, 0q, 0n, 0m, 0
f, 5u
gpg: next trustdb check due at 2025-04-12
pub rsa4096 2023-04-13 [SC] [expires: 2025-04-12]
key2
uid [ultimate] First Last<[email protected]>
sub rsa4096 2023-04-13 [E] [expires: 2025-04-12]
pub rsa4096 2023-04-22 [SC] [expires: 2025-04-21]
key3
uid [ultimate] First Last(emailkey) <[email protected]>
sub rsa4096 2023-04-22 [E] [expires: 2025-04-21]
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
key4
uid [ultimate] First Last(Not old one) <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
key5
uid [ultimate] First Middle Last (NewEmail) <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
[user@archlinux ~]$ gpg --send-key key5
gpg: sending key key5short to hkps://keyserver.ubuntu.com
[user@archlinux ~]$ gpg --export-secret-keys -a key5 > my_secret_key.asc
[user@archlinux ~]$ gpg --export -a key5 > my_public_key.asc
[user@archlinux ~]$ pass fakewebsite.com
gpg: decryption failed: No secret key
[user@archlinux ~]$ pass fakewebsite.com
gpg: decryption failed: No secret key
[user@archlinux ~]$ pass wikipedia.org/Wikiusername
gpg: decryption failed: No secret key
[user@archlinux ~]$ gpg --gen-revoke --output revoke.asc key5
sec rsa4096/key5short 2023-04-23 First Middle Last
(NewEmail) <[email protected]>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y
ASCII armored output forced.
File 'revoke.asc' exists. Overwrite? (y/N) y
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory g
ets
access to this certificate he can use it to make your key unusab
le.
It is smart to print this certificate and store it away, just in
case
your media become unreadable. But have some caution: The print
system of
your machine might store the data and make it available to other
s!
[user@archlinux ~]$ pass wikipedia.org
wikipedia.org
└── Wikiusername
[user@archlinux ~]$ gpg --full-generate-key
gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute i
t.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Mon 21 Apr 2025 05:46:14 PM PDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: First Middle Last
Email address: [email protected]
Comment:
You selected this USER-ID:
"First Middle Last <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to
perform
some other action (type on the keyboard, move the mouse, utilize
the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to
perform
some other action (type on the keyboard, move the mouse, utilize
the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/user/.gnupg/openp
gp-revocs.d/currentkeylong.rev'
public and secret key created and signed.
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
currentkeylong
uid First Middle Last <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
[user@archlinux ~]$ gpg --list-key [email protected]
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 6 signed: 0 trust: 0-, 0q, 0n, 0m, 0
f, 6u
gpg: next trustdb check due at 2025-04-12
pub rsa4096 2023-04-13 [SC] [expires: 2025-04-12]
key2
uid [ultimate] First Last<[email protected]>
sub rsa4096 2023-04-13 [E] [expires: 2025-04-12]
pub rsa4096 2023-04-22 [SC] [expires: 2025-04-21]
key3
uid [ultimate] First Last(emailkey) <[email protected]>
sub rsa4096 2023-04-22 [E] [expires: 2025-04-21]
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
key4
uid [ultimate] First Last(Not old one) <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
key5
uid [ultimate] First Middle Last (NewEmail) <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
pub rsa4096 2023-04-23 [SC] [expires: 2025-04-22]
currentkeylong
uid [ultimate] First Middle Last <[email protected]>
sub rsa4096 2023-04-23 [E] [expires: 2025-04-22]
[user@archlinux ~]$ gpg --send-key currentkey
gpg: sending key currentkeyshort to hkps://keyserver.ubuntu.com
[user@archlinux ~]$ gpg --export-secret-keys -a currentkey > my_secret_key.asc
[user@archlinux ~]$ gpg --export -a currentkey > my_public_key.asc
[user@archlinux ~]$ pass wikipedia.org
wikipedia.org
└── Wikiusername
[user@archlinux ~]$ pass init -p ~/.password-store
Usage: pass init [--path=subfolder,-p subfolder] gpg-id...
[user@archlinux ~]$ pass init -p ~/.password-store currentkey
mkdir: created directory '/home/user/.password-store//home'
mkdir: created directory '/home/user/.password-store//home/user'
mkdir: created directory '/home/user/.password-store//home/user/.password-store'
Password store initialized for currentkey (/home/user/.password-store)
[master 7b12920] Set GPG id to currentkey (/home/user/.password-store).
1 file changed, 1 insertion(+)
create mode 100644 home/user/.password-store/.gpg-id
[user@archlinux ~]$ pass wikipedia.org/Wikiusername
gpg: decryption failed: No secret key
[user@archlinux ~]$ pass wikipedia.org/Wikiusername
gpg: decryption failed: No secret key
[user@archlinux ~]$ pass wikipedia.org/Wikiusername
overusedpassword
[user@archlinux ~]$ pass
Password Store
├── github.com
│ ├── ssh
│ │ └── fingerprint
│ ├── ssh
│ └── tokenclassic
├── home
│ └── user
├── website2.com
├── website1.com
├── protonmail-credentials
│ └── protonkeytext
│ └── protonkeytext2
├── thunderbird.my
├── wikipedia.org
│ └── Wikiusername
└── fakewebsite.com
[user@archlinux ~]$ pass website2.com
website2pass
[user@archlinux ~]$ pass init -p ~/.password-store currentkey
Password store initialized for currentkey (/home/user/.password-store)
[user@archlinux ~]$ pass home/user
home/user
[user@archlinux ~]$ pass website1.com
gpg: decryption failed: No secret key
[user@archlinux ~]$ pass website1.com
gpg: decryption failed: No secret key
[user@archlinux ~]$ pass website1.com
write
[user@archlinux ~]$ pass insert website2.com
An entry already exists for website2.com. Overwrite it? [y/N] y
Enter password for website2.com:
Retype password for website2.com:
Error: the entered passwords do not match.
[user@archlinux ~]$ pass website2.com
website2pass
[user@archlinux ~]$ pass insert website2.com
An entry already exists for website2.com. Overwrite it? [y/N] y
Enter password for website2.com:
Retype password for website2.com:
[master 6bcc222] Add given password for website2.com to store.
1 file changed, 0 insertions(+), 0 deletions(-)
[user@archlinux ~]$ pass website2.com
website2pass
[user@archlinux ~]$ pass show website2.com
website2pass
[user@archlinux ~]$ sudo emacs ~/.password-store
[sudo] password for user:
(emacs:23636): Gtk-CRITICAL **: 18:04:03.324: gtk_distribute_nat
ural_allocation: assertion 'extra_space >= 0' failed
[user@archlinux ~]$ pass remove website2.com
Are you sure you would like to delete website2.com? [y/N] y
removed '/home/user/.password-store/website2.com.gpg'
[master b2facf0] Remove website2.com from store.
1 file changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 website2.com.gpg
[user@archlinux ~]$ pass insert website2.com
Enter password for website2.com:
Retype password for website2.com:
[master acb3c42] Add given password for website2.com to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 website2.com.gpg
[user@archlinux ~]$ pass website2.com
website2pass
[user@archlinux ~]$ pass
Password Store
├── github.com
│ ├── ssh
│ │ └── fingerprint
│ ├── ssh
│ └── tokenclassic
├── home
│ └── user
├── website2.com
├── website1.com
├── protonmail-credentials
│ └── protonkeytext
│ └── protonkeytext2
├── thunderbird.my
├── wikipedia.org
│ └── Wikiusername
└── fakewebsite.com
[user@archlinux ~]$ pass wikipedia.org/Wikiusername
overusedpassword
[user@archlinux ~]$ pass wikipedia.org
wikipedia.org
└── Wikiusername
[user@archlinux ~]$ pass insert wikipedia.org
Enter password for wikipedia.org:
Retype password for wikipedia.org:
[master 9e8a6bf] Add given password for wikipedia.org to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 wikipedia.org.gpg
[user@archlinux ~]$ pass wikipedia.org
overusedpassword
[user@archlinux ~]$ thunderbird.my
bash: thunderbird.my: command not found
[user@archlinux ~]$ pass thunderbird.my
key3
[user@archlinux ~]$ gpg --list-secret-keys --keyid-format LONG
/home/user/.gnupg/pubring.kbx
-------------------------------
sec rsa3072/key1short 2022-09-30 [SC]
key1
uid [ultimate] ProtonMail Bridge
ssb rsa3072/ssb1 2022-09-30 [E]
sec rsa4096/key2short 2023-04-13 [SC] [expires: 2025-04-12]
key2
uid [ultimate] First Last<[email protected]>
ssb rsa4096/ssb2 2023-04-13 [E] [expires: 2025-04-12]
sec rsa4096/key3short 2023-04-22 [SC] [expires: 2025-04-21]
key3
uid [ultimate] First Last(emailkey) <[email protected]>
ssb rsa4096/ssb3 2023-04-22 [E] [expires: 2025-04-21]
sec rsa4096/key4short 2023-04-23 [SC] [expires: 2025-04-22]
key4
uid [ultimate] First Last(Not old one) <[email protected]>
ssb rsa4096/ssb4 2023-04-23 [E] [expires: 2025-04-22]
sec rsa4096/key5short 2023-04-23 [SC] [expires: 2025-04-22]
key5
uid [ultimate] First Middle Last (NewEmail) <[email protected]>
ssb rsa4096/ssb5 2023-04-23 [E] [expires: 2025-04-22]
sec rsa4096/currentkeyshort 2023-04-23 [SC] [expires: 2025-04-22]
currentkeylong
uid [ultimate] First Middle Last <[email protected]>
ssb rsa4096/currentssb 2023-04-23 [E] [expires: 2025-04-22]
[user@archlinux ~]$
