gpg-agent's SSH agent emulation: how to remove keys?

Ben Low benjamin.d.low at
Wed Jul 18 07:11:45 CEST 2018

Ah, I found the thread 'Deleting SSH key(s) from agent' from 2016, wherein
it was pointed out that gpg-connect-agent's keyinfo and delete_key commands
can be used to delete keys:

On 18 July 2018 at 14:37, Ben Low <benjamin.d.low at> wrote:

> gpg-agent's enable-ssh-support option makes it "possible to use the
> gpg-agent as a drop-in replacement for the well known ssh-agent"
> gpp-agent(1).
> There is a caveat in this 'drop-in replacement': unlike the well-known
> ssh-agent which caches keys only for the duration of the agent's process
> lifetime, gpg-agent makes its own copy that persists. The man page does
> implicitly note this by way of "gpg-agent [asks] for a passphrase, which is
> to be used for encrypting the newly received key and _storing_ it in a
> gpg-agent specific directory" (emphasis mine).
> Practically, this means that once a key is added to gpg-agent it's unclear
> as to how to remove it. ssh-add -d/-D doesn't work, and you can't simply
> remove keys from ~/.ssh/ and restart the agent as gpg-agent's not referring
> to those files.
> Seems like the only(?) method to remove SSH keys from gpg-agent is to look
> up the keygrip for the desired key in sshcontrol, then remove it from
> there as well as rm the matching file in private-keys-v1.d/ ? Is there
> anything else that needs cleaning up after doing that?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list