gpg-agent's SSH agent emulation: how to remove keys?

Werner Koch wk at
Wed Jul 18 22:19:49 CEST 2018

On Wed, 18 Jul 2018 06:37, benjamin.d.low at said:

> Practically, this means that once a key is added to gpg-agent it's unclear
> as to how to remove it. ssh-add -d/-D doesn't work, and you can't simply
> remove keys from ~/.ssh/ and restart the agent as gpg-agent's not referring

Right, gpg-agent takes a copy of the files from .ssh/ and you can even
delete the private keys files in .ssh after that.  If you don't do this
you have two protected (i.e. encrypted) copies of the private keys on
your disk.  Now ssh-add -D when used with OpenSSH's ssh-agent does not
delete the key it merely removes it from ssh-agent's cache.  The private
key is still on the disk.

So the question is not how often you do "ssh-add -D" but how often do
you rm ~/.ssh/a-private-key ?

> up the keygrip for the desired key in sshcontrol, then remove it from there
> as well as rm the matching file in private-keys-v1.d/ ? Is there anything

You only need to remove it from private-keys-v1.d; ssh-control only
enables a key for use in the ssh-agent protocol.  This way you can
decide which of your keys (even OpenPGP keys) can be used for ssh.

In any case I would suggest to get rid of on-disk keys and use a
smartcard for ssh keys.



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list