diff --git a/utils/scripts/sekrit-rekey.sh b/utils/scripts/sekrit-rekey.sh
new file mode 100644
index 0000000..906614d
--- /dev/null
+++ b/utils/scripts/sekrit-rekey.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+usage()
+{
+	printf "Usage: %s newkey\n" "${0##*/}" >&2
+	exit 1
+}
+
+err()
+{
+	printf "%s: %s\n" "${0##*/}" "$*" >&2
+	exit 1
+}
+
+newsekrit()
+{
+	SEKRIT_DIR="$newdir" SEKRIT_GPG_ID="$newkey" sekrit "$@"
+}
+
+[ $# -eq 1 ] || usage
+newkey=$1
+gpg2 -k "$newkey" >/dev/null || err "Can't find key \"$newkey\""
+
+umask 077
+newdir=$(mktemp -dt sekrit-XXXXXXXXXX) ||
+    err "Failed to create temporary directory"
+scratch=$(mktemp -tp "$newdir" .sekrit-scratch-XXXXXXXXXX) ||
+    err "Failed to create scratch file"
+trap 'rm -fr -- "$scratch" "$newdir"' INT QUIT TERM
+
+for entry in $(sekrit ls | grep -v ^DONE); do
+	printf "%s... " "$entry"
+	sekrit get "$entry" >|"$scratch" ||
+	    err "Failed to export entry \"$entry\""
+	newsekrit add "$entry" <"$scratch" ||
+	    err "Failed to import entry \"$entry\""
+	printf "OK\n"
+done
+rm -f "$scratch"
+
+outdir=sekrit-rekey-$(date +%Y%m%d)
+if mv "$newdir" "$outdir"; then
+	finaldir=$outdir
+else
+	finaldir=$newdir
+fi
+printf "New sekrit store can be found at %s\n" "$finaldir"