I had my Kopia secrets (API, repo key, etc) stored in LastPass. Whilst the chance of someone decrypting the vault is very remote, I think it makes sense not to tempt fate and change important credentials.
I’ve changed my repository password successfully, but would also like to revoke and re-issue my BackBlaze API key.
Can I change an API key for the repository, or do I need to connect Kopia to a ‘new’ storage location?
Although off-topic and I ceased using Lastpass years ago, replacing it with a self-hosted Bitwarden instance: nowhere in time, had your vault been at danger, by the two breaches Lastpass suffered… - if you chose a strong passphrase when setting up your vault.
Lastpass was designed to be resilient to vault theft and since Lastpass doesn’t have the key to your vault, your vault can be considered safe and sound.
As for your question, I think you will need to swap the old repo with a new one, what is really simple and straight forward. In fact you won’t notice any difference.
I agree with your sentiments on LastPass’ vault design. However I was stunned to find out that not all fields in the vault were encrypted (including URLs) so my trust in their implementation of the design is now undermined.
And why would they need that? The vault itself is encrypted. It’s only decrypted in memory, so why should any of the fields be encrypted after the vault itself has been decrypted? To decrypt these fields, the key must be present in memory as well, otherwise you’d have to enter your vault pw over and over again, for any password, you want to retrieve… This would be safer, but no one would buy such a product, since it’s simply not useable.
That’s the problem. Everyone had the same understanding you did. But it turns out that multiple fields in the vault were never encrypted and were stored in plain text. So it leads you to wonder what other shortcuts were taken.
Don’t want to break out a discussion about how to handle the insides of a password vault, but what matters to me is, is that the vault “blob” is encrypted. If Lastpass chose to also have fields in the decrypted vault encrypted, such as that they need to be decrypted twice, I am okay with that. This would provide some help against local snooping in case, your host has already been breached or someone is using your account - maybe even with your consent. It woudln’t howerver pose any further risk to the vaults stored on Lastpass’ servers.
I am not stating, that you should or shouldn’t stay with Lastpass, I am only stating that the breach at Lastpass didn’t expose your secrets to any additional danger, as they had been all the time.