In the real world (a datacenter, for instance) systems can't be rebooted because of ssh-agent, with obvious security and maintenance consequences. There has to be a procedure that contains the passphrase in clear text, for obvious reasons.
Even if there is time and money and you have stored your passphrase in the Pentagon vault, the security problem is not solved by simply rebooting and typing in the passphrase. There is the risk of someone sniffing the passphrase or being able to hijack the session or otherwise fool ssh-agent.
Your example is a rather contrived one in that it highlights only a small part of the problem and solution space. The problem of protecting a running ssh-agent is remarkably similar to protecting an unencrypted key. And I would definitely worry if someone got their hands on my encrypted key also, by the way.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds