Rotate a compromised GPG key

Remove a compromised private key from every vault it could read and rotate the underlying secrets at their source. Applies whether the compromised key is yours or a teammate’s.

Runbook

Generate or import a replacement identity. If the compromised key is yours, generate a new pair (gpg --full-generate-key), publish the new public key, and have each teammate import it.
Revoke the compromised fingerprint from every affected secret. Quote the wildcard so the shell does not expand it.
Terminal window
```
dotsecenv secret revoke "*" <COMPROMISED_FP> --all
```

Add the replacement recipient.

dotsecenv secret share <SECRET_NAME> <NEW_FP> --all

Rotate each affected secret at its source. Generate a new credential at the originating system (database, IDP, cloud provider, API issuer) and store it. This is what neutralizes the compromise.
Terminal window
```
echo "<new-value>" | dotsecenv secret store <SECRET_NAME>
```
Verify. Every current secret should list the new key as a recipient and not the compromised one.
Terminal window
```
dotsecenv vault doctor
dotsecenv vault describe
```

Commit.

git add path/to/vault
git commit -m "Rotate compromised key <COMPROMISED_FP>, rotate N secrets"

What you cannot do

Erase a leaked entry from the vault file. Append-only by design. Rewriting git history with git filter-repo is possible, but anyone who already cloned the repo still has the old data and the compromised key still decrypts it.
Re-encrypt an existing entry to a different recipient set. secret share and secret revoke only affect future writes. Source rotation is the only fix.

Rotate a compromised GPG key

Runbook

What you cannot do

See also