diff --git a/pageant.c b/pageant.c
index d32344ba..bd87edbe 100644
--- a/pageant.c
+++ b/pageant.c
@@ -1975,12 +1975,29 @@ int pageant_add_keyfile(Filename *filename, const char *passphrase,
             }
 
             for (size_t i = 0; i < kl->nkeys; i++) {
+                /*
+                 * If the key already exists in the agent, we're done
+                 * ... *unless* it's encrypted in the agent and we're
+                 * being asked to add it unencrypted, in which case we
+                 * still want to upload the unencrypted version to
+                 * cause the key to become decrypted.
+                 *
+                 * (Rationale: if you know in advance you're going to
+                 * want it, and don't want to be interrupted at an
+                 * unpredictable moment to be asked for the
+                 * passphrase.)
+                 */
                 if (ptrlen_eq_ptrlen(ptrlen_from_strbuf(blob),
                                      kl->keys[i].blob)) {
-                    /* Key is already present; we can now leave. */
-                    keylist_free(kl);
-                    strbuf_free(blob);
-                    return PAGEANT_ACTION_OK;
+                    bool have_unencrypted =
+                        !(kl->keys[i].flags &
+                          LIST_EXTENDED_FLAG_HAS_NO_CLEARTEXT_KEY);
+                    if (have_unencrypted || add_encrypted) {
+                        /* Key is already present; we can now leave. */
+                        keylist_free(kl);
+                        strbuf_free(blob);
+                        return PAGEANT_ACTION_OK;
+                    }
                 }
             }