How to change the passphrase of a duplicity backup?

Assuming you're using symmetric encryption, you will keep previous backup chains files encrypted with the old passphrase which won't be stored into the cache with the new passphrase since they won't be decrypted. You will need to run many PASSPHRASE=old duplicity, PASSPHRASE=new duplicity in order to recache all files (assuming a new machine scenario) and could easily reach an impossibility to restore your latest backups.

The best method is probably: cleanup first and start a brand new full backup chain using the new passphrase.