SSH key added on boot without password prompt - how and why?

I have a passphrase-protected SSH key stored in ~/.ssh/id_rsa. In my .zshrc I have this fragment: if ! ssh-add -l > /dev/null; then ssh-add fi After booting, I usually open the terminal, see the passphrase prompt, then unlock my KeePass 2 DB, copy the passphrase to clipboard and paste it into the terminal to add the key to the agent. A few days ago, I have rebooted the system, logged in, and opened the terminal. To my surprise, the passphrase prompt didn't appear. Surprised, I typed ssh-add -l to see my key already added. That was weird, but I hand-waved it away, thinking that I forgot that I've already typed the password. A moment ago, I ran sudo systemctl kexec, and after logging in, the key was already added again. My KeePass DB was locked. The passphrase is long and random (/[a-zA-Z0-9]{20}/). This time I suspected it's something specific to kexec, but after yet another sudo systemctl kexec, the passphrase prompt appeared, the key wasn't added to the agent. - How come my SSH key is sometimes added to the agent after reboot? - Can it also happen after a cold boot? (yes) - What can I do to prevent it? I'm using Pop!_OS 18.04, booting with UEFI off a GPT disk with LUKS-encrypted / and unencrypted /boot, no LVM if that matters. --- _Edit:_ I've just cold booted after 4 days and the key was already added to agent again.