Figuring out how to use multiple password stores, each with their own GPG key.
And importantly, how to make the password stores work transparently with the Android app?

The point is to be able to share a specific folder (and all its subfolders) with a collaborator without exposing the secrets in the rest of the passwordstore.

🚨 I just found out, the Android Password Store has been retired by its author https://github.com/android-password-store/Android-Password-Store/discussions/3260 🚨
But there is a fork! https://github.com/agrahn/Android-Password-Store with an app on the F-Droid store https://f-droid.org/packages/app.passwordstore.agrahn

Some ideas from the interwebs:

• symlink folders into the passwordstore
• use direnv to set the environment var PASSWORD_STORE_DIR
• use git submodules

I tried the symlink approach: it works nicely enough on the desktop computer, but not at all on Android with the Passwordstore app.

I considered but did not test the other ideas.

After some more browsing and reading I realized that the pass init command does everything I want.

Starting from the entire passwordstore being encrypted using key A.
Then, assuming you have created GPG key B, re-encrypt folder aaa in passwordstore:

$ pass init --path=aaa B

That's it. Now only key B can decrypt any secrets in the aaa directory (recursively). We can re-encrypt using multiple key by simply listing them, pass init --path=aaa B C D.

• https://askubuntu.com/questions/929307/how-to-change-the-gpg-key-of-the-pass-password-store
• https://lists.zx2c4.com/pipermail/password-store/2020-June/004183.html

Related: how to generate a new GPG keypair

• https://www.linuxbabe.com/security/a-practical-guide-to-gpg-part-1-generate-your-keypair
• https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Note that the --expert flag is required to display the option to use ECC (elliptic curve crypto) keys.

taha@rosetta:~
$ gpg --expert --full-gen-key 
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection? 9
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: <my name>
Email address: <email address>
Comment:
You selected this USER-ID:
    "<Real name> (<Comment>) <Email address>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Please enter the passphrase to
protect your new key
Passphrase: 
Repeat: 
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key <short key id> marked as ultimately trusted
gpg: directory '~/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '~/.gnupg/openpgp-revocs.d/<long key id>.rev'
public and secret key created and signed.

pub   ed25519 2026-02-24 [SC]
      <long key ID>
uid                      <Real name> (<Comment>) <Email address>
sub   cv25519 2026-02-24 [E]

RSA 4096 is only marginally more secure than RSA 2048 and the consensus is that it is not worth it. For better security than RSA 2048, use elliptic curve crypto instead.
https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096

How to export your keypair

Export your public key
gpg --armor --export <key id> > pubkey.asc

Export your private key
gpg --export-secret-keys --armor <key id> > privkey.asc

New idea, perhaps better and less hacky

Directly inspired by this great explainer of how using multiple keys for specific folders should be setup https://github.com/agrahn/Android-Password-Store/issues/512#issuecomment-3387614461

Change passphrase of your GPG key

• https://unix.stackexchange.com/questions/336776/how-to-change-passphrase-for-pass-password-manager

taha@rosetta:~
$ gpg --edit-key <key name>
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/<key short id>
     created: 2014-11-28  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/<key short id>
     created: 2014-11-28  expires: never       usage: E   
[ultimate] (1). <Real name> <Email address>

gpg> passwd
Please enter the passphrase to unlock the OpenPGP secret key:
"<Real name> <Email address>"
2048-bit RSA key, ID <key short id>,
created 2014-11-28.

Passphrase: 
Please enter the new passphrase
Passphrase: 
Repeat: