gpg-agent's SSH agent emulation: how to remove keys?

Ben Low benjamin.d.low at
Wed Jul 18 06:37:13 CEST 2018

gpg-agent's enable-ssh-support option makes it "possible to use the
gpg-agent as a drop-in replacement for the well known ssh-agent"

There is a caveat in this 'drop-in replacement': unlike the well-known
ssh-agent which caches keys only for the duration of the agent's process
lifetime, gpg-agent makes its own copy that persists. The man page does
implicitly note this by way of "gpg-agent [asks] for a passphrase, which is
to be used for encrypting the newly received key and _storing_ it in a
gpg-agent specific directory" (emphasis mine).

Practically, this means that once a key is added to gpg-agent it's unclear
as to how to remove it. ssh-add -d/-D doesn't work, and you can't simply
remove keys from ~/.ssh/ and restart the agent as gpg-agent's not referring
to those files.

Seems like the only(?) method to remove SSH keys from gpg-agent is to look
up the keygrip for the desired key in sshcontrol, then remove it from there
as well as rm the matching file in private-keys-v1.d/ ? Is there anything
else that needs cleaning up after doing that?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list