My ever growing list of passwords became super organised once I started using the excellent Pass (the standard Unix password manager), but when the time came to swap my beloved Thinkpad T440p with a newer model I needed to migrate the whole system over to my new machine. Here is how it’s done:

Step 1. Clone or copy the .password-store directory

Start by copying the entire .password-store directory onto your new machine. Pass has Git support built in so I recommend a bit of the old push and pull. The .password-store should be put into the home directory of your new machine because that’s where Pass expects it to be by default.

# Change to to your home directory
cd ~

# Copy the repo using Git
git clone https://github.com/your-git-username/.password-store

# ...Or copy using SFTP
sftp [email protected]
get -r .password-store

Step 2. Export your GPG keys

On your old machine run the following to commands to create a so called “ascii armored version” of the key. This file is not encrypted so keep it safe.

gpg --output private.pgp --armor --export-secret-key [email protected]

Once you’ve done this you can copy the file over to your new machine ready for importing.

Step 3. Import the keys onto your new machine

Run the following command on your new machine to import the secret key into your keyring.

gpg --import secret-key-filename-here

Once the key has been imported you can list the keys with --list-secret-keys. If things get a bit bumpy at this point and you need to import it more than once that’s no problem, you’ll just see a message about how the key already exists.

$ gpg --list-secret-keys

pub   rsa3072 2022-01-12 [SC] [expires: 2028-02-22]
      08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB
uid           [ unknown] Dr Robotnik <[email protected]>
sub   rsa3072 2022-01-12 [E] [expires: 2028-02-22]

The ID of the key is the long string on the second line which in the above example starts “08J5”. Copy this to the clipboard or keep it on the screen as you’ll need it for the next step.

If something goes wrong or you’re just playing to learn about GPG keys then you might like to start over with a clean slate by running the following command passing in the ID of the key as an argument:

# Need to start over?
gpg --delete-secret-and-public-key 08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB

Step 4: Install & Setup Pass

Next we install pass using the standard apt install command, then initialize it with the ID of the key you just imported in the previous step.

sudo apt install pass
pass init 08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB

Step 5: Error when editing or creating passwords in Pass

You should now be able to view all your passwords but if you try and edit, remove, or create one you might see an error such as this:

gpg: A6892A62: There is no assurance this key belongs to the named user gpg:
[stdin]: encryption failed: Unusable public key

This happens because GPG doesn’t trust your new machine as much as it trusts your old one where (presumably) the key was originally created. Run gpg --list-secret-keys again and you’ll see the level of trust in square brackets next to the ID.


# Your old machine shows 'ultimate' trust
pub   rsa3072 2022-01-12 [SC] [expires: 2028-02-22]
      08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB
uid           [ ultimate ] Dr Robotnik <[email protected]>
sub   rsa3072 2022-01-12 [E] [expires: 2028-02-22]

# ...But your old machine shows 'unknown' trust
pub   rsa3072 2022-01-12 [SC] [expires: 2028-02-22]
      08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB
uid           [ unknown ] Dr Robotnik <[email protected]>
sub   rsa3072 2022-01-12 [E] [expires: 2028-02-22]

It’s an easy job to change the level of trust, you’ll need the ID of your key again:

gpg --edit-key your-key-id-here

You’ll see an interactive command prompt where you can choose between 5 levels of trust for the key. Give that thing the ultimate trust

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 

Now exit the GPG prompt by typing quit and you’re all done.