The accepted answer is somewhat behind the times. Now the best way to secure a private ssh key is using the the new format utilizing bcrypt's kdf[1] added to OpenSSH 6.5[2].<p>The new format makes it significantly harder (read: slower) to crack private keys, something much needed.<p>I've been using the new key format with ecdsa and ed25519. It's worth nothing that and some things like GNOME Keyring's ssh-agent don't support the format just yet, so things like ssh-add to the agent appear to fail and I haven't looked any deeper yet.<p>[1] <a href="http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf" rel="nofollow">http://www.tedunangst.com/flak/post/new-openssh-key-format-a...</a><p>[2] <a href="http://www.openssh.com/txt/release-6.5" rel="nofollow">http://www.openssh.com/txt/release-6.5</a>