<div dir="ltr"><div>Ah, I found the thread 'Deleting SSH key(s) from agent' from 2016, wherein it was pointed out that gpg-connect-agent's keyinfo and delete_key commands can be used to delete keys:<br><div><a href="https://lists.gnupg.org/pipermail/gnupg-users/2016-August/056499.html">https://lists.gnupg.org/pipermail/gnupg-users/2016-August/056499.html</a><br></div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 18 July 2018 at 14:37, Ben Low <span dir="ltr"><<a href="mailto:benjamin.d.low@gmail.com" target="_blank">benjamin.d.low@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">gpg-agent's enable-ssh-support option makes it "possible to use the gpg-agent as a drop-in replacement for the well known ssh-agent" gpp-agent(1).<div><br></div><div>There is a caveat in this 'drop-in replacement': unlike the well-known ssh-agent which caches keys only for the duration of the agent's process lifetime, gpg-agent makes its own copy that persists. The man page does implicitly note this by way of "gpg-agent [asks] for a passphrase, which is to be used for encrypting the newly received key and _storing_ it in a gpg-agent specific directory" (emphasis mine).</div><div><br></div><div>Practically, this means that once a key is added to gpg-agent it's unclear as to how to remove it. ssh-add -d/-D doesn't work, and <span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">you can't simply remove keys from ~/.ssh/ and restart the agent as gpg-agent's not referring to those files.</span><br></div><div><span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Seems like the only(?) method to remove SSH keys from gpg-agent is to look up the keygrip for the desired key in sshcontrol, then </span>remove it from there as well as rm the matching file in private-keys-v1.d/ ? Is there anything else that needs cleaning up after doing that?</div><div><br></div></div>
</blockquote></div><br></div>