Yeah, I know, it’s old, but I need this mostly as a memo to self: ssh key handling changed between MacOS 10.11. and 10.12.
What you probably want is the following magic in a generic Host block of your machines .ssh/config or /etc/ssh/ssh_config:
Host * UseKeyChain No AddKeysToAgent yes
This will store your SSH Keys in the agent, entering the password only once. It will not persist the keys on the machine, requiring that you authenticate and unlock the keys once after each restart.
Getting rid of persisted keys is complicated and requires some SQLite magic.
ssh-add -D -K for f in ~/Library/Keychains/*/keychain-2.db do sqlite3 $f "delete from genp where agrp = 'com.apple.ssh.passphrases';" done