How to move your Linux Pass passwords to another computer and fix the 'Encryption failed: unusable public key' error.
My ever growing list of passwords became super organised once I started using the excellent Pass (the standard Unix password manager), but when the time came to swap my beloved Thinkpad T440p with a newer model I needed to migrate the whole system over to my new machine. Here is how it’s done:
Start by copying the entire .password-store
directory onto your new machine.
Pass has Git support built in so I recommend a bit of the old push and pull. The
.password-store
should be put into the home directory of your new machine
because that’s where Pass expects it to be by default.
# Change to to your home directory
cd ~
# Copy the repo using Git
git clone https://github.com/your-git-username/.password-store
# ...Or copy using SFTP
sftp user@your-new-machine
get -r .password-store
On your old machine run the following to commands to create a so called “ascii armored version” of the key. This file is not encrypted so keep it safe.
gpg --output private.pgp --armor --export-secret-key username@example
Once you’ve done this you can copy the file over to your new machine ready for importing.
Run the following command on your new machine to import the secret key into your keyring.
gpg --import secret-key-filename-here
Once the key has been imported you can list the keys with --list-secret-keys
.
If things get a bit bumpy at this point and you need to import it more than once
that’s no problem, you’ll just see a message about how the key already exists.
$ gpg --list-secret-keys
pub rsa3072 2022-01-12 [SC] [expires: 2028-02-22]
08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB
uid [ unknown] Dr Robotnik <[email protected]>
sub rsa3072 2022-01-12 [E] [expires: 2028-02-22]
The ID of the key is the long string on the second line which in the above example starts “08J5”. Copy this to the clipboard or keep it on the screen as you’ll need it for the next step.
If something goes wrong or you’re just playing to learn about GPG keys then you might like to start over with a clean slate by running the following command passing in the ID of the key as an argument:
# Need to start over?
gpg --delete-secret-and-public-key 08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB
Next we install pass using the standard apt install
command, then initialize
it with the ID of the key you just imported in the previous step.
sudo apt install pass
pass init 08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB
You should now be able to view all your passwords but if you try and edit, remove, or create one you might see an error such as this:
gpg: A6892A62: There is no assurance this key belongs to the named user gpg:
[stdin]: encryption failed: Unusable public key
This happens because GPG doesn’t trust your new machine as much as it trusts
your old one where (presumably) the key was originally created. Run gpg
--list-secret-keys
again and you’ll see the level of trust in square brackets
next to the ID.
# Your old machine shows 'ultimate' trust
pub rsa3072 2022-01-12 [SC] [expires: 2028-02-22]
08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB
uid [ ultimate ] Dr Robotnik <[email protected]>
sub rsa3072 2022-01-12 [E] [expires: 2028-02-22]
# ...But your new machine shows 'unknown' trust
pub rsa3072 2022-01-12 [SC] [expires: 2028-02-22]
08J5NPEVBNPZ895DAK8PDZYK4NBBU1208J5NPEVB
uid [ unknown ] Dr Robotnik <[email protected]>
sub rsa3072 2022-01-12 [E] [expires: 2028-02-22]
It’s an easy job to change the level of trust, you’ll need the ID of your key again:
gpg --edit-key your-key-id-here
You’ll see an interactive command prompt where you can choose between 5 levels
of trust for the key. Type trust
to edit the trust options then give that
thing the ultimate trust
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision?
Now exit the GPG prompt by typing quit
and you’re all done.