To encrypt your SSH key, use:

ssh-keygen -p -f ~/.ssh/id_rsa

If the encrypted private key is stolen, an attacker needs to brute-force (guess) your password to use it.

To be more resistant to brute force-attacks, specify -a <number> to set the number of rounds used. The default is 16.

ssh-keygen -p -a 500 -f ~/.ssh/id_rsa