diff --git a/doc/pageant.but b/doc/pageant.but
index 4250a3a7..e2bc88d8 100644
--- a/doc/pageant.but
+++ b/doc/pageant.but
@@ -243,16 +243,13 @@ This works the same way whether the key is used by an instance of
 PuTTY running locally, or a remote client connecting to Pageant
 through agent forwarding.
 
-After the key has been decrypted for the first use, it remains
-decrypted, so that it can be used again.
-
-To add a key to Pageant by reading it out of a local disk file, press
-the \q{Add Key (encrypted)} button in the Pageant main window, or
-alternatively right-click on the Pageant icon in the system tray and
-select \q{Add Key (encrypted)} from there. Pageant will bring up a
-file dialog, in just the same way as it would for the plain \q{Add
-Key} button. But it won't ask for a passphrase. Instead, the key will
-be listed in the main window with \q{(encrypted)} after it.
+To add a key to Pageant in this encrypted form, press the \q{Add Key
+(encrypted)} button in the Pageant main window, or alternatively
+right-click on the Pageant icon in the system tray and select \q{Add
+Key (encrypted)} from there. Pageant will bring up a file dialog, in
+just the same way as it would for the plain \q{Add Key} button. But it
+won't ask for a passphrase. Instead, the key will be listed in the
+main window with \q{(encrypted)} after it.
 
 To start Pageant up in the first place with encrypted keys loaded into
 it, you can use the \cq{--encrypted} option on the command line. For
@@ -260,6 +257,10 @@ example:
 
 \c C:\PuTTY\pageant.exe --encrypted d:\main.ppk
 
+After a key has been decrypted for the first use, it remains
+decrypted, so that it can be used again. You can do this using the
+\q{Re-encrypt} button in the Pageant main window.
+
 \s{CAUTION}: When Pageant displays a prompt to decrypt an
 already-loaded key, it cannot give keyboard focus to the prompt dialog
 box. As far as I know this is a deliberate defensive measure by
diff --git a/pageant.c b/pageant.c
index c89269ef..83aa806e 100644
--- a/pageant.c
+++ b/pageant.c
@@ -1400,6 +1400,14 @@ bool pageant_delete_nth_ssh2_key(int i)
     return true;
 }
 
+bool pageant_reencrypt_nth_ssh2_key(int i)
+{
+    PageantKey *pk = index234(keytree, find_first_key_for_version(2) + i);
+    if (!pk)
+        return false;
+    return reencrypt_key(pk);
+}
+
 /* ----------------------------------------------------------------------
  * The agent plug.
  */
diff --git a/pageant.h b/pageant.h
index d44fa295..ed436452 100644
--- a/pageant.h
+++ b/pageant.h
@@ -113,12 +113,14 @@ void pageant_make_keylist2(BinarySink *);
 
 /*
  * Accessor functions for Pageant's internal key lists, used by GUI
- * Pageant, to count the keys and to delete a key.
+ * Pageant, to count the keys, to delete a key, or to re-encrypt a
+ * decrypted-on-demand key (SSH-2 only).
  */
 int pageant_count_ssh1_keys(void);
 int pageant_count_ssh2_keys(void);
 bool pageant_delete_nth_ssh1_key(int i);
 bool pageant_delete_nth_ssh2_key(int i);
+bool pageant_reencrypt_nth_ssh2_key(int i);
 
 /*
  * This callback must be provided by the Pageant front end code.
diff --git a/windows/pageant-rc.h b/windows/pageant-rc.h
index 9a60c95f..abe92dc4 100755
--- a/windows/pageant-rc.h
+++ b/windows/pageant-rc.h
@@ -19,6 +19,7 @@
 #define IDC_KEYLIST_LISTBOX 100
 #define IDC_KEYLIST_ADDKEY 101
 #define IDC_KEYLIST_ADDKEY_ENC 110
+#define IDC_KEYLIST_REENCRYPT 106
 #define IDC_KEYLIST_REMOVE 102
 #define IDC_KEYLIST_HELP 103
 #define IDC_KEYLIST_FPTYPE_STATIC 104
diff --git a/windows/pageant.rc b/windows/pageant.rc
index 3358656b..12fd7828 100644
--- a/windows/pageant.rc
+++ b/windows/pageant.rc
@@ -43,18 +43,19 @@ BEGIN
     PUSHBUTTON "&Cancel", IDCANCEL, 135, 52, 40, 14
 END
 
-IDD_KEYLIST DIALOG DISCARDABLE 0, 0, 450, 211
+IDD_KEYLIST DIALOG DISCARDABLE 0, 0, 450, 236
 STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "Pageant Key List"
 FONT 8, "MS Shell Dlg"
 BEGIN
     LISTBOX 100, 10, 10, 420, 155,
         LBS_EXTENDEDSEL | LBS_HASSTRINGS | LBS_USETABSTOPS | WS_VSCROLL | WS_TABSTOP
-    PUSHBUTTON "&Add Key", IDC_KEYLIST_ADDKEY, 75, 187, 60, 14
-    PUSHBUTTON "Add Key (&encrypted)", IDC_KEYLIST_ADDKEY_ENC, 150, 187, 100, 14
-    PUSHBUTTON "&Remove Key", IDC_KEYLIST_REMOVE, 315, 187, 60, 14
-    PUSHBUTTON "&Help", IDC_KEYLIST_HELP, 10, 187, 50, 14
-    DEFPUSHBUTTON "&Close", IDOK, 390, 187, 50, 14
+    PUSHBUTTON "&Add Key", IDC_KEYLIST_ADDKEY, 10, 187, 60, 14
+    PUSHBUTTON "Add Key (&encrypted)", IDC_KEYLIST_ADDKEY_ENC, 75, 187, 80, 14
+    PUSHBUTTON "Re-e&ncrypt", IDC_KEYLIST_REENCRYPT, 315, 187, 60, 14
+    PUSHBUTTON "&Remove", IDC_KEYLIST_REMOVE, 380, 187, 60, 14
+    PUSHBUTTON "&Help", IDC_KEYLIST_HELP, 10, 212, 50, 14
+    DEFPUSHBUTTON "&Close", IDOK, 390, 212, 50, 14
     LTEXT "&Fingerprint type:", IDC_KEYLIST_FPTYPE_STATIC, 10, 172, 60, 8
     COMBOBOX IDC_KEYLIST_FPTYPE, 70, 170, 60, 12, CBS_DROPDOWNLIST
 END
diff --git a/windows/winpgnt.c b/windows/winpgnt.c
index e850949a..8fe93321 100644
--- a/windows/winpgnt.c
+++ b/windows/winpgnt.c
@@ -582,6 +582,7 @@ static INT_PTR CALLBACK KeyListProc(HWND hwnd, UINT msg,
             }
             return 0;
           case IDC_KEYLIST_REMOVE:
+          case IDC_KEYLIST_REENCRYPT:
             if (HIWORD(wParam) == BN_CLICKED ||
                 HIWORD(wParam) == BN_DOUBLECLICKED) {
                 int i;
@@ -617,7 +618,14 @@ static INT_PTR CALLBACK KeyListProc(HWND hwnd, UINT msg,
                  */
                 for (i = sCount - 1; (itemNum >= 0) && (i >= 0); i--) {
                     if (selectedArray[itemNum] == rCount + i) {
-                        pageant_delete_nth_ssh2_key(i);
+                        switch (LOWORD(wParam)) {
+                          case IDC_KEYLIST_REMOVE:
+                            pageant_delete_nth_ssh2_key(i);
+                            break;
+                          case IDC_KEYLIST_REENCRYPT:
+                            pageant_reencrypt_nth_ssh2_key(i);
+                            break;
+                        }
                         itemNum--;
                     }
                 }
@@ -625,7 +633,14 @@ static INT_PTR CALLBACK KeyListProc(HWND hwnd, UINT msg,
                 /* do the same for the rsa keys */
                 for (i = rCount - 1; (itemNum >= 0) && (i >= 0); i--) {
                     if(selectedArray[itemNum] == i) {
-                        pageant_delete_nth_ssh1_key(i);
+                        switch (LOWORD(wParam)) {
+                          case IDC_KEYLIST_REMOVE:
+                            pageant_delete_nth_ssh1_key(i);
+                            break;
+                          case IDC_KEYLIST_REENCRYPT:
+                            /* SSH-1 keys can't be re-encrypted */
+                            break;
+                        }
                         itemNum--;
                     }
                 }
@@ -660,6 +675,7 @@ static INT_PTR CALLBACK KeyListProc(HWND hwnd, UINT msg,
           case IDC_KEYLIST_ADDKEY: topic = WINHELP_CTX_pageant_addkey; break;
           case IDC_KEYLIST_REMOVE: topic = WINHELP_CTX_pageant_remkey; break;
           case IDC_KEYLIST_ADDKEY_ENC:
+          case IDC_KEYLIST_REENCRYPT:
             topic = WINHELP_CTX_pageant_deferred; break;
         }
         if (topic) {