I know that I can do (edit: fixed this; I'm interested in gpg NOT openssh)
gpg --edit-key
...to change my passphrase for my key, but I'm not sure what this means.
If I'm encrypting data on box A and decrypting on box B (say with duplicity) do I have to change the passphrase on both ends? Will previous backups still work?
Is the passphrase just the key to a sort of encrypted wrapper around the key file?
Dumb question, but I don't want to screw this up. Thanks!
Yes. The only thing that matters for asymmetric encryption are the keys themselves. Alice encrypts something using Bob's public key, and only Bob with possession of his private key may decrypt the transmission and retrieve the original plaintext from Alice.
Since private keys are very sensitive, it is not a good idea to leave them laying around (in your disk or home directory). They need to be protected. So we wrap them using symmetric encryption using a passphrase. This way, we have two layers of security: in order to decrypt the data, the attacker needs something you have (the encrypted private key) and something you know (the passphrase to unlock the private key).
Changing the passphrase of a private key basically unwraps it from its old protection and creates a new protection with the new passphrase. The passphrase is never used in the transmission of the data between the two parties.
The actual ssh private key is stored in an encrypted format. The pass phrase is used to decrypt the private key so that is can be used. Changing the pass phrase will not affect how the key was used in the past.
