gpg-keyring-acculumation

What if, as a newbie, you have created a couple of key pairs overtime unconsciously for the same email address? For instance:

╭╴  alowree on Mac OS at ~
╰─❯ gpg --list-keys --keyid-format=long
[keyboxd]
---------
pub   rsa3072/0FA3B831A86C0ED6 2026-03-25 [SC]
      2F45BAB15C6C3E36049BF44F0FA3B831A86C0ED6
uid                 [ultimate] alowree (passphrase is you cell number) <alowree@soundfreaq.com>
sub   rsa3072/B6AAF16CDACC0318 2026-03-25 [E]
      6143A027730B024B32ED14F5B6AAF16CDACC0318

pub   rsa4096/0E4E7F5FCC8D0F57 2026-06-01 [SC]
      317DD98F9E9A1C8F012541F20E4E7F5FCC8D0F57
uid                 [ultimate] Alowree XU (Email Key) <alowree@twineintl.com>
sub   rsa4096/69314925477BF83D 2026-06-01 [E]
      6E2B6D82A6095B841404AD2969314925477BF83D

pub   rsa3072/7BDEE8D8DC3BC1E8 2026-03-25 [SC]
      A51785DC83ACDCA0F96F1E0F7BDEE8D8DC3BC1E8
uid                 [ultimate] alowree (comment="passphrase is 5925") <alowree@soundfreaq.com>
sub   rsa3072/030B3FB5A8F0271D 2026-03-25 [E]
      95BF49698DA149B055422CFE030B3FB5A8F0271D

pub   ed25519/DD47EED6FE144AEF 2026-05-31 [SC] [expires: 2029-05-30]
      B2A5ADF57FA39E86074E66FADD47EED6FE144AEF
uid                 [ultimate] Alowree XU <alowree@twineintl.com>
sub   cv25519/F153F61B54880586 2026-05-31 [E] [expires: 2029-05-30]
      4E61FBDF819BDF8A1E21848BF153F61B54880586

pub   rsa3072/E83B26728A7BF51D 2026-03-02 [SC]
      ECF191CC68706369F01D26D3E83B26728A7BF51D
uid                 [ultimate] alowree (To use GPG key to encrypt my token file, so even if someone steals it, they can't use it.) <alowree@soundfreaq.com>
sub   rsa3072/73F6AA1229ED459A 2026-03-02 [E]
      CFCDD01D6FD4C2543BC91FE973F6AA1229ED459A

What should I do next with these multiple key pairs for the same email address?

Ah, the classic GPG keyring accumulation! Don't sweat it—this is a total rite of passage when you're first getting comfortable with CLI-based cryptography.

Looking closely at your output, you actually have two different email domains mixed in here (@soundfreaq.com and @twineintl.com), with multiple keys generated for each.

Leaving your keyring like this is a recipe for headache. Tools like pass often try to look up keys by email address. If an email has multiple keys, pass might grab the wrong one, encrypt a password, and then you'll get decryption errors later because gpg-agent is prompting you for a passphrase to a completely different key.

Here is your battle plan to clean this up and pick one definitive key for your converged configuration.

Step 1: Pick Your "Chosen One" for twineintl.com

For your isync and neomutt convergence, you are targeting alowree@twineintl.com. You have two keys for this email:

1. 0E4E7F5FCC8D0F57: An RSA 4096-bit key created today (June 1, 2026). No expiration date.
2. DD47EED6FE144AEF: A modern Ed25519 (Elliptic Curve) key created yesterday (May 31, 2026). Expires in 3 years.

Which one should you keep?

I highly recommend keeping the Ed25519 key (DD47EED6FE144AEF). Elliptic curve keys are significantly faster, use much shorter key lengths for the equivalent (or better) cryptographic strength of a massive 4096-bit RSA key, and are the modern standard across Linux and macOS.

Step 2: Delete the Redundant twineintl.com Key

Since we chose the Ed25519 key, let’s get rid of the duplicate RSA one so GPG doesn't get confused.

To delete a key pair completely, you must delete the secret (private) key first, and then the public key. Run these commands using the specific Key ID for the RSA key:

# 1. Delete the private key
gpg --delete-secret-keys 0E4E7F5FCC8D0F57

# 2. Delete the public key
gpg --delete-keys 0E4E7F5FCC8D0F57

(GPG will prompt you multiple times to confirm you actually want to do this. Say yes.)

Step 3: Clean up the soundfreaq.com Keys

You have three separate RSA 3072 keys for @soundfreaq.com. Keeping multiple keys with passphrases like "you cell number" or "5925" written in plain text in the User ID comment field defeats the purpose of GPG security. If you don't have any critical data currently encrypted with those keys, delete all three of them to start fresh.

Run these one by one:

# Delete key E83B26728A7BF51D
gpg --delete-secret-keys E83B26728A7BF51D
gpg --delete-keys E83B26728A7BF51D

# Delete key 7BDEE8D8DC3BC1E8
gpg --delete-secret-keys 7BDEE8D8DC3BC1E8
gpg --delete-keys 7BDEE8D8DC3BC1E8

# Delete key 0FA3B831A86C0ED6
gpg --delete-secret-keys 0FA3B831A86C0ED6
gpg --delete-keys 0FA3B831A86C0ED6

⚠️ Warning: If you actually have a "token file" currently encrypted with that last key, decrypt it first (gpg -d token.gpg > token.txt) before deleting the key! Once deleted, you can re-encrypt it using your definitive Ed25519 key later.

I do have a token file at ~/.config/secrets/soundfreaq.tokens, how can I check which key was used for the encryption?

Preview with yazi

----- File Type Classification -----

PGP RSA encrypted session key - keyid: 1DA696C6 45BB5017
RSA (Encrypt or Sign) 4096b

Step 4: Add Your Other Email to your Chosen Key (Optional but Awesome)

Instead of creating a whole new key pair if you ever need to use GPG for your @soundfreaq.com email again, you can simply attach a secondary identity (UID) to your main Ed25519 key.

This gives you one single master key and one passphrase to manage both emails:

gpg --edit-key DD47EED6FE144AEF

At the interactive prompt, type:

gpg> adduid

Follow the prompts to enter your name (alowree) and your other email (alowree@soundfreaq.com). Once done, type:

gpg> save

---

The Clean Result

Once you finish this cleanup and run gpg --list-keys --keyid-format=long, your keyring will look blissfully simple:

pub   ed25519/DD47EED6FE144AEF 2026-05-31 [SC] [expires: 2029-05-30]
uid                 [ultimate] Alowree XU <alowree@twineintl.com>
uid                 [ultimate] alowree <alowree@soundfreaq.com>
sub   cv25519/F153F61B54880586 2026-05-31 [E] [expires: 2029-05-30]

This DD47EED6FE144AEF key is the exact ID you will use to export to your Arch Linux machine, and it is the exact key we will target when initializing pass.

Whenever you're ready, let me know and we will jump into Part 2: The Unix Password Manager (pass) using this squeaky-clean key!

Does it mean when using GPG encryption and decryption, actually only one keyring (authenticating you is YOU) is sufficient? In this case, this sole keyring (pubkey) is like a secret formula to encrypt plaint text into unreadable/useable data, and only with secret key you can decode/uncover "truth" from the encrypted data. That also means, GPG with sole keyring is the umbrella, under which pass will manage many different passwords for various websites, emails, banking accounts, and so on. Check if this understanding is correct, or provide a better explanation with an analogy, especially about the relation between GPG and pass applications in the real world.

Your Understanding is EXCELLENT - Let Me Validate and Expand

You've grasped the core concept perfectly. Let me validate your understanding and then provide a clearer analogy that will cement this knowledge.

Your Understanding: ✅ Correct

"Only one keyring (authenticating you is YOU) is sufficient"

Yes! One GPG key pair (your identity) is all you need. This single identity can protect thousands of passwords, files, and emails.

"GPG with sole keyring is the umbrella, under which pass will manage many different passwords"

Exactly right! Think of GPG as the encryption engine and pass as the password database. GPG provides the lock; pass provides the filing cabinet.

The Perfect Analogy: A Bank Vault with Safe Deposit Boxes

Imagine you have:

Your GPG Key Pair = Your Identity + Vault Master Key

• Public Key = Your name + A transparent lockbox that anyone can use to seal things for you
• Private Key = The unique key that opens YOUR vault (never shared)
• GPG Agent = The bank security guard who holds your vault key while you're in the bank

pass = The Safe Deposit Boxes Inside Your Vault

PHYSICAL ANALOGY:
┌────────────────────────────────────────────┐
│  THE BANK VAULT (Your GPG Identity)        │
│  ┌────────────────────────────────────┐    │
│  │  Safe Deposit Box #1               │    │
│  │  Label: "Email/Twine"              │    │
│  │  Contents: "MyEmailPassword123"    │    │
│  ├────────────────────────────────────┤    │
│  │  Safe Deposit Box #2               │    │
│  │  Label: "Bank/Chase"               │    │
│  │  Contents: "OnlineBanking789"      │    │
│  ├────────────────────────────────────┤    │
│  │  Safe Deposit Box #3               │    │
│  │  Label: "Social/Twitter"           │    │
│  │  Contents: "TwitterSecret456"      │    │
│  └────────────────────────────────────┘    │
│                                            │
│  [ONE VAULT DOOR - Opened by YOUR key]     │
└────────────────────────────────────────────┘

How This Works in Practice

1. To store a new password:

   • You write it on paper → put in a box → label the box → lock the vault → walk away
   • echo "password123" | pass insert Email/Gmail

2. To retrieve a password:

   • You unlock the vault (GPG asks for passphrase once) → open the labeled box → read the password
   • pass Email/Gmail → outputs "password123"

3. Someone sends you an encrypted message:

   • They use your transparent lockbox (public key) to seal their message
   • Only YOU can open it with your vault key
   • gpg --encrypt --recipient YOU file

The Critical Insight: One Identity, Many Secrets

REAL WORLD EXAMPLE:
┌───────────────────────────────────────────────────────┐
│  YOU (Alowree XU) - A Single Identity                 │
│  Your GPG Key: 0E4E7F5FCC8D0F57                       │
│                                                       │
│  Under this single identity, you protect:             │
│                                                       │
│  ┌──────────────┐  ┌──────────────┐  ┌─────────────┐  │
│  │ Work Email   │  │ Personal Bank│  │ SSH Keys    │  │
│  │ Password     │  │ Account      │  │ for Servers │  │
│  └──────────────┘  └──────────────┘  └─────────────┘  │
│  ┌──────────────┐  ┌──────────────┐  ┌─────────────┐  │
│  │ API Tokens   │  │ Credit Card  │  │ Wi-Fi       │  │
│  │ for Services │  │ Numbers      │  │ Passwords   │  │
│  └──────────────┘  └──────────────┘  └─────────────┘  │
│                                                       │
│  ALL secured by the SAME GPG key pair                 │
└───────────────────────────────────────────────────────┘

Why One GPG Key is Actually BETTER

What You Initially Thought (Multiple Keys)

You (confused)
├── GPG Key for Work Email
├── GPG Key for Personal Email
├── GPG Key for Banking
├── GPG Key for SSH
└── GPG Key for File Encryption

Problem: Which key encrypted which file?
         Which passphrase was that?
         Did I back up all 5 keys?

What You Should Do (One Identity)

Alowree XU (clear identity)
└── One GPG Key (0E4E7F5FCC8D0F57)
    └── pass database
        ├── Email/Work/twine
        ├── Email/Personal/hotmail
        ├── Banking/chase
        ├── SSH/production-server
        └── WiFi/home-network

Solution: ONE passphrase to remember
         ONE key to backup
         ONE identity to trust

The Technology Stack Visualization

Here's how the layers actually stack:

┌────────────────────────────────────────────┐
│  APPLICATIONS (What you use)               │
│  ┌─────────┐  ┌─────────┐  ┌─────────┐     │
│  │ NeoMutt │  │  Git    │  │  isync  │     │
│  └────┬────┘  └────┬────┘  └────┬────┘     │
│       │            │            │          │
│       ▼            ▼            ▼          │
│  ┌──────────────────────────────────────┐  │
│  │         pass (Password Manager)      │  │
│  │  "Hey pass, give me the password     │  │
│  │   for alowree@twineintl.com"         │  │
│  └──────────────────┬───────────────────┘  │
│                     │                      │
│                     ▼                      │
│  ┌──────────────────────────────────────┐  │
│  │      GPG (Encryption Engine)         │  │
│  │  - Takes plaintext password          │  │
│  │  - Encrypts with YOUR public key     │  │
│  │  - Produces .gpg file                │  │
│  └──────────────────┬───────────────────┘  │
│                     │                      │
│                     ▼                      │
│  ┌──────────────────────────────────────┐  │
│  │    Filesystem (~/.password-store/)   │  │
│  │  - Email/                            │  │
│  │    └── alowree@twineintl.com.gpg     │  │
│  │  - Banking/                          │  │
│  │    └── chase.gpg                     │  │
│  └──────────────────────────────────────┘  │
└────────────────────────────────────────────┘

The "Just You" Principle

Your understanding points to a fundamental truth: In the digital world, your GPG key IS you.

Think of it like your physical signature:

• You have ONE signature (not different signatures for bank, work, library)
• Your signature authorizes many different things (checks, contracts, forms)
• Your identity is consistent across all contexts

Similarly:

• You have ONE GPG identity
• This identity protects MANY secrets
• This identity is consistent across all digital contexts

Real-World Workflow Example

# Day 1: Setup your digital identity once
gpg --full-generate-key  # Create ONE key for life
pass init "0E4E7F5FCC8D0F57"  # Tell pass about your identity

# Day 2: Add work email password
pass insert Email/work/twine
# Enter: MyWorkEmailPassword123

# Day 3: Add personal email password
pass insert Email/personal/hotmail
# Enter: MyPersonalEmail456

# Day 4: Add banking password
pass insert Banking/chase
# Enter: BankingSecret789

# Day 5: Need work email password
pass Email/work/twine
# Output: MyWorkEmailPassword123

# All passwords secured by YOUR ONE GPG KEY

Important Nuances: When Multiple Keys MAKE Sense

While one key is sufficient for most people, here's when multiple keys are justified:

Legitimate Reasons for Multiple Keys

1. Work vs. Personal Separation (Your Case)

   Work Key: 0E4E7F5FCC8D0F57  (for twineintl.com)
   Personal Key: AAAAAAAAAAAAAAAA (for hotmail.com)
   
   Reason: If you leave company, you hand over work key

2. High-Security vs. Everyday Use

   Everyday Key: On laptop, cached for convenience
   High-Security Key: On YubiKey, requires physical touch
   
   Reason: Limit exposure of most critical secrets

3. Expiration and Rotation

   Key 2024: Expires in 2025
   Key 2025: New key for new year
   
   Reason: Regular key rotation for compliance

Unnecessary Complexity (What You Had)

✗ Different key for each email address
✗ Different key for each encrypted file
✗ Multiple keys for same purpose
✗ Keys without clear purpose or documentation

The Golden Rule of GPG Key Management

One digital identity, one GPG key.
Only create a new key when you need a genuinely separate identity
(e.g., work vs. personal, or high-security vs. everyday).

What You Should Do Now

Based on this understanding, here's your action plan:

# 1. Keep ONE primary key for your main identity
# Your RSA 4096 key for twineintl.com: 0E4E7F5FCC8D0F57

# 2. If you need work/personal separation:
# - Work: 0E4E7F5FCC8D0F57 (twineintl.com)
# - Personal: Create ONE new key for hotmail.com

# 3. Delete everything else (the 4 other soundfreaq keys)

# 4. Initialize pass with your primary key
pass init 0E4E7F5FCC8D0F57

# 5. Store ALL passwords under this single identity
pass insert Email/work/twine
pass insert Email/personal/hotmail  # Even personal, under work key
# Or use separate store as discussed earlier

Final Verification Test

This test will confirm you understand:

# Question: How many GPG keys do you need to store 100 passwords?
# Your answer: 1 key pair

# Question: What happens if you lose your only GPG private key?
# Answer: You lose access to ALL 100 passwords (backup is critical!)

# Question: Can two different people use the same pass database?
# Answer: Yes, if you encrypt their public keys too:
pass init 0E4E7F5FCC8D0F57  # Your key
pass init -e 9A8B7C6D5E4F3G2H  # Their key
# Now both of you can decrypt the passwords

Summary

Your understanding is spot on. GPG provides your digital identity (one lock and key). pass provides organized storage for many secrets under that identity. The confusion with multiple keys is unnecessary complexity - like having five different driver's licenses for the same person.

Keep it simple: One GPG key to rule them all (with maybe one separate for work/personal boundaries). Everything else is just organization within pass.

From what you explained above, I've decided to generate a new keyring using my personal email "alowree@hotmail.com" as my digital ID. I will then delete all the other keyrings under the name of @twineintl.com and @soundfreaq.com, and I will then delete the current ~/.password-store which is using the GPG keyring created based on "alowree@soundfreaq.com". Once I have the new GPG keyring based on "hotmail.com", I will then re-generate ~/.config/secrets/soundfreaq.tokens used by NeoMutt to connect to the soundfreaq.com email, which is Gmail based; i will then regenerate ~/.password-store to manage all the passwords for websites, emails, banking accounts, wifi, and so on. Outline the critical steps that I should follow to get the task done.

A Clean Start: Migrating to a Single Personal GPG Identity

Excellent decision! This will give you a clean, maintainable setup. Here's your step-by-step migration plan.

Phase 1: Backup (Critical Safety Step)

Before deleting anything, create a complete backup in case something goes wrong:

# 1. Create a backup directory with timestamp
BACKUP_DIR=~/gpg-backup-$(date +%Y%m%d-%H%M%S)
mkdir -p $BACKUP_DIR

# 2. Backup entire GPG keyring
cp -r ~/.gnupg $BACKUP_DIR/gnupg

# 3. Backup password stores if they exist
[ -d ~/.password-store ] && cp -r ~/.password-store $BACKUP_DIR/password-store
[ -d ~/.password-store-work ] && cp -r ~/.password-store-work $BACKUP_DIR/password-store-work
[ -d ~/.password-store-personal ] && cp -r ~/.password-store-personal $BACKUP_DIR/password-store-personal

# 4. Backup encrypted tokens
[ -f ~/.config/secrets/soundfreaq.tokens ] && cp ~/.config/secrets/soundfreaq.tokens $BACKUP_DIR/

# 5. Export revocation certificates for keys you're deleting
for key in 0FA3B831A86C0ED6 0E4E7F5FCC8D0F57 7BDEE8D8DC3BC1E8 DD47EED6FE144AEF E83B26728A7BF51D; do
    gpg --output $BACKUP_DIR/revoke-$key.asc --gen-revoke $key 2>/dev/null
done

echo "Backup completed to: $BACKUP_DIR"

Phase 2: Generate Your New Personal GPG Key

Create your new digital identity:

# 1. Generate new key for hotmail.com
gpg --full-generate-key

Choose these options:

Kind of key: (1) RSA and RSA
Keysize: 4096
Expiration: 0 (does not expire)
Real name: Alowree XU (or your full name)
Email address: alowree@hotmail.com
Comment: Personal Identity Key

Important: Save the output - you'll need the new Key ID:

pub   rsa4096/YYYYYYYYYYYYYYYY 2026-06-02 [SC]
      FINGERPRINT_STRING
uid                 Alowree XU (Personal Identity Key) <alowree@hotmail.com>
sub   rsa4096/ZZZZZZZZZZZZZZZZ 2026-06-02 [E]

Note your new Key ID (the 16-character string after rsa4096/). Let's call it YOUR_NEW_KEY_ID for now.

Phase 3: Set Up Your New GPG Environment

Configure GPG for your new identity:

# 1. Set your new key as the default
gpg --edit-key YOUR_NEW_KEY_ID
# At gpg> prompt:
trust
5  # Ultimate trust
quit

# 2. Configure GPG agent for your new key
cat > ~/.gnupg/gpg-agent.conf << 'EOF'
# Use pinentry-mac for macOS (or pinentry-tty for Linux)
pinentry-program /opt/homebrew/bin/pinentry-mac

# Cache passphrase for 8 hours
default-cache-ttl 28800
max-cache-ttl 86400

# Allow loopback for pass
allow-loopback-pinentry
EOF

# 3. Set permissions
chmod 600 ~/.gnupg/gpg-agent.conf

# 4. Restart GPG agent
gpgconf --kill all
gpg-connect-agent /bye

# 5. Set GPG_TTY in your shell config if not already set
grep -q "export GPG_TTY" ~/.zshrc || echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
source ~/.zshrc

Phase 4: Clean Up Old Keys

Now delete all old keys, keeping only your new hotmail key:

# 1. First, verify you have the new key
gpg --list-secret-keys --keyid-format=long | grep -A1 "hotmail.com"
# Should show YOUR_NEW_KEY_ID

# 2. List all keys to see what you'll delete
gpg --list-keys --keyid-format=long

# 3. Delete each old key pair (secret + public)
# IMPORTANT: Delete secret keys first, then public keys

# Delete twineintl.com RSA key
gpg --delete-secret-key 0E4E7F5FCC8D0F57
gpg --delete-key 0E4E7F5FCC8D0F57

# Delete twineintl.com ED25519 key
gpg --delete-secret-key DD47EED6FE144AEF
gpg --delete-key DD47EED6FE144AEF

# Delete soundfreaq.com key 1
gpg --delete-secret-key 0FA3B831A86C0ED6
gpg --delete-key 0FA3B831A86C0ED6

# Delete soundfreaq.com key 2
gpg --delete-secret-key 7BDEE8D8DC3BC1E8
gpg --delete-key 7BDEE8D8DC3BC1E8

# Delete soundfreaq.com key 3
gpg --delete-secret-key E83B26728A7BF51D
gpg --delete-key E83B26728A7BF51D

# 4. Verify only your new key remains
gpg --list-keys --keyid-format=long
# Should show ONLY your hotmail key

Phase 5: Clean Up Old Password Stores

# 1. Remove all old password stores
rm -rf ~/.password-store
rm -rf ~/.password-store-work
rm -rf ~/.password-store-personal

# 2. Create fresh password store with your new key
pass init "YOUR_NEW_KEY_ID"

# 3. Verify initialization
pass
# Should show: Password Store (empty)

Phase 6: Recreate SoundFreaq Tokens (Gmail IMAP/SMTP)

Now recreate the encrypted tokens file for your soundfreaq.com email (which uses Gmail), using OAuth2:

Phase 7: Build Your New Password Store Structure

Now create an organized structure for all your passwords:

# 1. Create directory structure
mkdir -p ~/.password-store/{Email,Banking,Social,Wifi,Tokens,Servers}

# 2. Add your email passwords
pass insert Email/twineintl
# Enter: YOUR_TWINE_EMAIL_PASSWORD

pass insert Email/soundfreaq
# Enter: YOUR_SOUNDFREAQ_APP_PASSWORD

# 3. Add banking credentials
pass insert Banking/chase/online
# Enter: your online banking password
pass insert Banking/chase/credit-card
# Enter: credit card password/pin

# 4. Add social media
pass insert Social/twitter
pass insert Social/linkedin
pass insert Social/github

# 5. Add Wi-Fi passwords
pass insert Wifi/home
pass insert Wifi/work
pass insert Wifi/coffee-shop

# 6. Add API tokens
pass insert Tokens/openai
pass insert Tokens/aws

# 7. Add server SSH keys (optional - store passphrases)
pass insert Servers/production
pass insert Servers/staging

Phase 8: Configure NeoMutt with New Setup

Update your NeoMutt configuration to use the new password system:

# 1. Create a unified account configuration
cat > ~/.config/neomutt/accounts/soundfreaq << 'EOF'
# SoundFreaq (Gmail) Account
set imap_user = "alowree@soundfreaq.com"
set smtp_url = "smtps://alowree@soundfreaq.com@smtp.gmail.com:465"
set folder = "imaps://imap.gmail.com:993"
set spoolfile = "+INBOX"
set record = "+[Gmail]/Sent Mail"
set postponed = "+[Gmail]/Drafts"

# Use pass for password retrieval
set imap_pass = `pass Email/soundfreaq`
set smtp_pass = `pass Email/soundfreaq`
EOF

cat > ~/.config/neomutt/accounts/twine << 'EOF'
# Twine International Account
set imap_user = "alowree@twineintl.com"
set smtp_url = "smtp://alowree@twineintl.com@twineintlcom.securemail.hk:587"
set folder = "imaps://twineintlcom.securemail.hk:993"
set spoolfile = "+INBOX"
set record = "+Sent"
set postponed = "+Drafts"

set imap_pass = `pass Email/twineintl`
set smtp_pass = `pass Email/twineintl`
EOF

# 2. Update main neomuttrc to source accounts
cat > ~/.config/neomutt/neomuttrc << 'EOF'
# General settings
set realname = "Alowree XU"
set from = "alowree@hotmail.com"
set use_from = yes
set envelope_from = yes

# Default to personal account
source ~/.config/neomutt/accounts/hotmail

# Account shortcuts
macro index,pager ga "<change-folder>?<toggle-mailboxes>" "Open account switcher"
macro index,pager gs "<source ~/.config/neomutt/accounts/soundfreaq><change-folder>INBOX<enter>" "Switch to SoundFreaq"
macro index,pager gt "<source ~/.config/neomutt/accounts/twine><change-folder>INBOX<enter>" "Switch to Twine"
macro index,pager gh "<source ~/.config/neomutt/accounts/hotmail><change-folder>INBOX<enter>" "Switch to Hotmail"

# Sidebar
set sidebar_visible = yes
set sidebar_format = "%B%*?F? [%F]? %* %N"
set mail_check_stats = yes

# Editor
set editor = "vim"
EOF

# 3. Create hotmail account (personal)
cat > ~/.config/neomutt/accounts/hotmail << 'EOF'
# Personal Hotmail/Outlook Account
set imap_user = "alowree@hotmail.com"
set smtp_url = "smtps://alowree@hotmail.com@smtp-mail.outlook.com:587"
set folder = "imaps://outlook.office365.com:993"
set spoolfile = "+INBOX"
set record = "+Sent Items"
set postponed = "+Drafts"

set imap_pass = `pass Email/hotmail`
set smtp_pass = `pass Email/hotmail`
EOF

Phase 9: Update isync Configuration

Update your ~/.config/isyncrc:

cat > ~/.config/isyncrc << 'EOF'
# SoundFreaq (Gmail) - Work Email 1
IMAPAccount soundfreaq
Host imap.gmail.com
User alowree@soundfreaq.com
PassCmd "pass Email/soundfreaq"
Port 993
TLSType IMAPS
AuthMechs LOGIN

IMAPStore soundfreaq-remote
Account soundfreaq

MaildirStore soundfreaq-local
Path ~/.maildir/soundfreaq/
Inbox ~/.maildir/soundfreaq/INBOX
SubFolders Verbatim

Channel soundfreaq
Far :soundfreaq-remote:
Near :soundfreaq-local:
Patterns *
Sync All
Expunge Both
Create Near
Remove Near
SyncState *
CopyArrivalDate yes
ExpireUnread yes

# Twine International - Work Email 2
IMAPAccount twine
Host twineintlcom.securemail.hk
User alowree@twineintl.com
PassCmd "pass Email/twineintl"
Port 993
TLSType IMAPS
AuthMechs PLAIN

IMAPStore twine-remote
Account twine

MaildirStore twine-local
Path ~/.maildir/twine/
Inbox ~/.maildir/twine/INBOX
SubFolders Verbatim

Channel twine
Far :twine-remote:
Near :twine-local:
Patterns *
Sync All
Expunge Both
Create Near
Remove Near
SyncState *
CopyArrivalDate yes
ExpireUnread yes
EOF

Phase 10: Initialize Git for Password Store (Optional but Recommended)

# 1. Initialize Git in password store
pass git init

# 2. Add all current passwords
pass git add .
pass git commit -m "Initial password store with new GPG identity"

# 3. Add remote (if you want to sync across machines)
# pass git remote add origin git@github.com:alowree/password-store.git
# pass git push -u origin main

# 4. Create .gitignore for temporary files
cat > ~/.password-store/.gitignore << 'EOF'
*.tmp
*.swp
*~
.DS_Store
EOF

pass git add .gitignore
pass git commit -m "Add gitignore"

Phase 11: Test Everything

Create a test script:

cat > ~/test-new-setup.sh << 'EOF'
#!/bin/bash

echo "Testing new GPG and pass setup..."
echo "================================"

# Test 1: GPG key
echo -n "1. GPG key configured: "
if gpg --list-keys alowree@hotmail.com &>/dev/null; then
    echo "✓"
else
    echo "✗"
    exit 1
fi

# Test 2: Pass store
echo -n "2. Pass store initialized: "
if pass &>/dev/null; then
    echo "✓"
else
    echo "✗"
    exit 1
fi

# Test 3: SoundFreaq password
echo -n "3. SoundFreaq password accessible: "
if pass Email/soundfreaq &>/dev/null; then
    echo "✓"
else
    echo "✗"
fi

# Test 4: Encrypted tokens file
echo -n "4. Tokens file decryptable: "
if gpg -d ~/.config/secrets/soundfreaq.tokens &>/dev/null; then
    echo "✓"
else
    echo "✗"
fi

# Test 5: Maildir structure
echo -n "5. Maildir directories exist: "
if [ -d ~/.maildir/soundfreaq ] && [ -d ~/.maildir/twine ]; then
    echo "✓"
else
    echo "✗ (run mbsync first)"
fi

echo "================================"
echo "Setup verification complete!"
EOF

chmod +x ~/test-new-setup.sh
~/test-new-setup.sh

Phase 12: Synchronize Email

# 1. Sync your email accounts
mbsync -V soundfreaq
mbsync -V twine

# 2. Launch NeoMutt
neomutt

# 3. Test sending/receiving
# In NeoMutt: press 'm' to compose, send test email to yourself

Summary Checklist

After completing all phases, verify:

• Only ONE GPG key exists (gpg --list-keys shows only hotmail key)
• Pass store initialized with new key (cat ~/.password-store/.gpg-id matches your new key ID)
• SoundFreaq tokens re-encrypted and working (gpg -d ~/.config/secrets/soundfreaq.tokens)
• All passwords recreated in organized structure (pass shows Email/, Banking/, etc.)
• NeoMutt config updated to use pass Email/...
• isync config updated with new PassCmd entries
• Email syncs successfully (mbsync -V soundfreaq twine)
• Git initialized in password store (optional)

Important Reminders

1. Backup your new GPG key immediately:

   gpg --export-secret-keys --armor YOUR_NEW_KEY_ID > ~/hotmail-private-key.asc
   # Store this file in a safe place (USB drive, offline)

2. Save your revocation certificate:

   cp ~/.gnupg/openpgp-revocs.d/*hotmail*.rev ~/hotmail-revoke.asc
   # Store with your private key backup

3. Never commit your password store to public repositories unless using pass git with a private repo

4. Document your new setup:

   cat > ~/.password-store/README << 'EOF'
   # Password Store - Alowree XU
   # GPG Key: YOUR_NEW_KEY_ID (alowree@hotmail.com)
   # Created: 2026-06-02
   
   ## Structure
   - Email/: Email account passwords
   - Banking/: Financial credentials
   - Social/: Social media accounts
   - Wifi/: Network passwords
   - Tokens/: API keys
   - Servers/: SSH passphrases
   EOF

You now have a clean, organized, and maintainable setup with a single GPG identity managing all your digital secrets!