Copying Pass Secrets to Another Machine


I had a new laptop but couldn't access my previous one, so I had to figure out how to get my pass secrets. I had these problems:

Getting the old secrets

My home directory was compressed using borg and sent to me using:

borg init /path/to/folder
borg create --progess /path/to/backup::susa /home/username

And on my laptop I ran:

borg mount backup::susa-initial /home/username/borg_mount

This folder is mounted as read only, limiting what I could do in it. Here are some of the errors I got because of this.

gpg --homedir $(pwd) --list-keys
gpg: failed to create temporary file '/home/username/borg_mount/home/username/.password-store/.#lk0x000055b881984170.archlinux.39288': Read-only file system
gpg: keyblock resource '/home/username/borg_mount/home/username/.password-store/pubring.kbx': Read-only file system
gpg: failed to create temporary file '/home/username/borg_mount/home/username/.password-store/.#lk0x000055b881981700.archlinux.39288': Read-only file system
gpg: Fatal: can't create lock for '/home/username/borg_mount/home/username/.password-store/trustdb.gpg'

I copied over the gpg key into a folder outside the mounted borg folder:

cp -r borg_mount/home/username/.gnupg/* gpg_tests/
cd gpg_tests
gpg --homedir $(pwd) --list-keys # this now works

And exported my keys with:

gpg --homedir $(pwd) --output personal_gpg.gpg --armor --export ID_FOR_KEY
gpg --homedir $(pwd) --output personal_sec.gpg --armor --export-secret-keys ID_FOR_KEY

I imported them them with:

gpg --import personal_gpg.gpg
gpg --allow-secret-key-import --import personal_sec.gpg

Working with both password stores

Pass stores the gpg_id in its root folder, so I just copied over the previous pass store into a subdirectory in my new password store.

cp home/username/.password_store ~/.password_store/oldpasswords

Now running pass shows all my passwords, both on from my old laptop and new laptop. It's a little inconvenient because I now have an extra node to go through to access my old passwords but this is an acceptable compromise.

Another unexplored alternative is to convert all the old passwords to use the new gpg key. It should be a simple script that just gets the password from the old gpg key and saves it into the new store.