I'd like to work on this. I was thinking that the implementation could be a subcommand of a new hictl program, and himitsu-init would become hictl init. It would:

1. Check if himitsud is running and exit with an error if so
2. Move the store to index.old
3. Prompt for the old passphrase
4. Decrypt the store in memory
5. Prompt for the new one twice like himitsu-init does
6. Reencrypt and write the store with the new passphrase
7. Remove index.old

I'm not sure if that's the best order of operations, but I'll get started on the implementation soon unless anyone wants to discuss anything.

fwiw you can currently re-encrypt the keystore very unix-like:

hiq -d > keys
# recreate store
hiq -a < keys

In that case maybe just adding that oneliner to the man page would be better.

The only concern with that I can think of is that hiq would only prompt for the password once, but this could be mitigated by running himitsu-init before re-adding the store entries.