Allow removal of passphrase protection by calling encrypt with an empty passphrase

src/key.js

@@ -916,16 +916,15 @@ function generate(options) {
   if (options.keyType !== enums.publicKey.rsa_encrypt_sign) {
     throw new Error('Only RSA Encrypt or Sign supported');
   }
-  if (!options.passphrase) {
-    throw new Error('Parameter options.passphrase required');
-  }
 
   var packetlist = new packet.List();
 
   var secretKeyPacket = new packet.SecretKey();
   secretKeyPacket.algorithm = enums.read(enums.publicKey, options.keyType);
   secretKeyPacket.generate(options.numBits);
-  secretKeyPacket.encrypt(options.passphrase);
+  if (options.passphrase) {
+    secretKeyPacket.encrypt(options.passphrase);
+  }
 
   var userIdPacket = new packet.Userid();
   userIdPacket.read(options.userId);
@@ -960,7 +959,9 @@ function generate(options) {
   var secretSubkeyPacket = new packet.SecretSubkey();
   secretSubkeyPacket.algorithm = enums.read(enums.publicKey, options.keyType);
   secretSubkeyPacket.generate(options.numBits);
-  secretSubkeyPacket.encrypt(options.passphrase);
+  if (options.passphrase) {
+    secretSubkeyPacket.encrypt(options.passphrase);
+  }
 
   dataToSign = {};
   dataToSign.key = secretKeyPacket;

src/packet/secret_key.js

@@ -170,10 +170,18 @@ SecretKey.prototype.write = function () {
 
 
 /** Encrypt the payload. By default, we use aes256 and iterated, salted string
- * to key specifier
+ * to key specifier. If the key is in a decrypted state (isDecrypted == true)
+ * and the passphrase is empty or undefined, the key will be set as not encrypted.
+ * This can be used to remove passphrase protection after calling decrypt().
  * @param {String} passphrase
  */
 SecretKey.prototype.encrypt = function (passphrase) {
+  if (this.isDecrypted && !passphrase) {
+    this.encrypted = null;
+    return;
+  } else if (!passphrase) {
+    throw new Error('The key must be decrypted before removing passphrase protection.');
+  }
 
   var s2k = new type_s2k(),
     symmetric = 'aes256',