diff --git a/agent/ChangeLog b/agent/ChangeLog
index 263259f6a..bd009ecbe 100644
--- a/agent/ChangeLog
+++ b/agent/ChangeLog
@@ -1,3 +1,10 @@
+2004-01-24  Werner Koch  <wk@gnupg.org>
+
+	* call-scd.c (atfork_cb): New.
+	(start_scd): Make sure secmem gets cleared.
+	* query.c  (atfork_cb): New.
+	(start_pinentry): Make sure secmem gets cleared.
+
 2004-01-16  Werner Koch  <wk@gnupg.org>
 
 	* findkey.c (agent_key_from_file): Now return an error code so
diff --git a/agent/call-scd.c b/agent/call-scd.c
index 14487f1e3..f205fb074 100644
--- a/agent/call-scd.c
+++ b/agent/call-scd.c
@@ -152,6 +152,16 @@ unlock_scd (int rc)
   return rc;
 }
 
+/* To make sure we leave no secrets in our image after forking of the
+   scdaemon, we use this callback. */
+static void
+atfork_cb (void *opaque, int where)
+{
+  if (!where)
+    gcry_control (GCRYCTL_TERM_SECMEM);
+}
+
+
 /* Fork off the SCdaemon if this has not already been done */
 static int
 start_scd (void)
@@ -206,9 +216,9 @@ start_scd (void)
     }
   no_close_list[i] = -1;
 
-  /* connect to the pinentry and perform initial handshaking */
-  rc = assuan_pipe_connect (&ctx, opt.scdaemon_program, (char**)argv,
-                            no_close_list);
+  /* Connect to the pinentry and perform initial handshaking */
+  rc = assuan_pipe_connect2 (&ctx, opt.scdaemon_program, (char**)argv,
+                             no_close_list, atfork_cb, NULL);
   if (rc)
     {
       log_error ("can't connect to the SCdaemon: %s\n",
diff --git a/agent/query.c b/agent/query.c
index 4a051965d..a3a773380 100644
--- a/agent/query.c
+++ b/agent/query.c
@@ -78,6 +78,17 @@ unlock_pinentry (int rc)
   return rc;
 }
 
+
+/* To make sure we leave no secrets in our image after forking of the
+   pinentry, we use this callback. */
+static void
+atfork_cb (void *opaque, int where)
+{
+  if (!where)
+    gcry_control (GCRYCTL_TERM_SECMEM);
+}
+
+
 /* Fork off the pin entry if this has not already been done.  Note,
    that this function must always be used to aquire the lock for the
    pinentry - we will serialize _all_ pinentry calls.
@@ -139,9 +150,9 @@ start_pinentry (CTRL ctrl)
     }
   no_close_list[i] = -1;
 
-  /* connect to the pinentry and perform initial handshaking */
-  rc = assuan_pipe_connect (&ctx, opt.pinentry_program, (char**)argv,
-                            no_close_list);
+  /* Connect to the pinentry and perform initial handshaking */
+  rc = assuan_pipe_connect2 (&ctx, opt.pinentry_program, (char**)argv,
+                             no_close_list, atfork_cb, NULL);
   if (rc)
     {
       log_error ("can't connect to the PIN entry module: %s\n",