I still makes sense to encrypt your ssh keys. Think of a bug in a browser
that allows a server reading your files.

Remi

right.

Disk Encryption protects your key and other data when your computer is
OFF. And only when it is off. When your computer is active and the
file systems available, any attacker that manages to get into your
system through any means can see whatever they have access to. If they
grab your no-passphrase key, they now have your key. If they grab your
passphrased key...they got a jumble of funny characters.

Nick.

Doesn't the fact that ssh-agent is running somehow make the keys
accessible anyway? Or am I making misassumptions on how it works?

--
Hugo Osvaldo Barrera

...
ssh-agent provides a way to USE keys, not expose keys. Remember, this
is public key cryptography, which has some nifty abilities to avoid
exposing private keys while still using them.

A key without a passphrase is protected by nothing other than file
permissions. Anything /you/ run or runs as you has the ability to read
your private key. ANYTHING. Your browser. Your mail client. That
obfuscated code block your friend just showed you. Your backup system.
Everyone else with doas access on your system.

From the man page:

"The agent will never send a private key over its request channel.
Instead, operations that require a private key will be performed by
the agent, and the result will be returned to the requester. This
way, private keys are not exposed to clients using the agent."

so ... there's no way to query the agent and get a passphrase-free
private key. Instead, things wishing to use the agent pose a query
(based on the public key) that can only be answered by something holding
the private key.

Now, I suspect (nb: I am not a cryptographer or SSH coder. But I sat at
a table with one once, and was completely in awe) the key has to be held
in unlocked form in RAM, so perhaps a very serious breach that allowed
the raw access of system RAM might produce it...but would also produce a
lot of other nifty things, and by that point, your system is so
completely compromised, not much is trustworthy anymore.

Nick.

If it's running and you haven't told it to forget the keys one
way or another: yes.

Some screen lockers allow you to run another program;
one thing you can do is run "ssh-add -D" to kill the keys when
you lock. Alternatively when you start ssh-agent you can use
the -t flag to set the lifetime of the key; if you do this
ssh-agent will expire added keys automatically after this
timeout. (for the latter if you use xdm you'll need to edit
Xsession).

By itself this can be annoying as you normally have to run
ssh-add to add the keys back in before you can use them. But
if you use "AddKeysToAgent yes", ssh will prompt you for the
key passphrase when it needs it (i.e. after the lock/timeout)
and add them to the agent automatically. So it works rather
like sudo's password timeout - very convenient, and it avoids
the keys hanging around in your agent for longer than needed.

I have actually seen step by step instructions for doing just that, but I
don't have the link around. You essentially need root permissions for
pulling that off.

Ssh-agent prevents an intruder from stealing the key material in any
useful form, but it does not prevent him from using the material that is
already kept by the agent - if he is able to send a query to your agent,
he will be able to use the keys even if he does not get to see them.

I encrypt my key materials even when I am using PFDE, I just don't think
the agent is something it is not.

That is a damn good advice!

Predrag