The SSH agent protocol, which is only specified in an Internet-Draft at the time of writing (draft-miller-ssh-agent), defines an extension mechanism. These names can be sent in an SSH_AGENTC_EXTENSION message.
add-ppk@putty.projects.tartarus.org
string containing a keypair in the PPK format defined in appendix C. Compared to the standard SSH_AGENTC_ADD_IDENTITY, this extension allows adding keys in encrypted form, with the agent requesting a decryption passphrase from the user on demand, and able to revert the key to encrypted form.
reencrypt@putty.projects.tartarus.org
string specifying a public key blob, as in SSH_AGENTC_REMOVE_IDENTITY. Requests that the agent forget any cleartext form of a specific key.
Returns SSH_AGENT_SUCCESS if the agent ended up holding the key only in encrypted form (even if it was already encrypted); returns SSH_AGENT_EXTENSION_FAILURE if not (if it wasn't held by the agent at all, or only in cleartext form).
reencrypt-all@putty.projects.tartarus.org
If the agent holds any keys with an encrypted form (or no keys at all), returns SSH_AGENT_SUCCESS to indicate that no such keys are now held in cleartext form, followed by a uint32 specifying how many keys remain in cleartext form (because the agent didn't hold an encrypted form for them). If the agent holds nothing but keys in cleartext form, returns SSH_AGENT_EXTENSION_FAILURE.
list-extended@putty.projects.tartarus.org
SSH_AGENT_SUCCESS followed by a list of identities similar to SSH_AGENT_IDENTITIES_ANSWER, except that each key has an extra SSH-2 string at the end. Currently that string contains a single uint32 flags word, with the following bits defined:
reencrypt extension can do something useful with it).