A good passphrase keeps SSH private key secured, even when the key is stolen. But maybe we don’t often use passphrase because we don’t want to enter it whenever logging into a server. Actually there’s a way to balance security and convenience in this situation, by using `ssh-agent`. `ssh-agent` is a program that runs on your computer. It stores unencrypted private key in memory. The idea is that we just need to enter the passphrase every time we load the key into ssh-agent, then everything else just works like normal.

We need to add passphrase to our key first:

ssh-keygen -p -f ~/.ssh/id_rsa
Enter new passphrase (empty for no passphrase):[ENTER A GOOD PASSPHRASE]
Enter same passphrase again:[ENTER THAT PASSPHRASE AGAIN]
Your identification has been saved with the new passphrase.

Now the private key is protected with a passphrase. Next we load the key to memory:

ssh-add ~/.ssh/id_rsa
Enter passphrase for ~/.ssh/id_rsa: [ENTER PASSPHRASE]
Identity added: ~/.ssh/id_rsa (~/.ssh/id_rsa)

To verify if the key is added to ssh-agent:

ssh-add -l

Now we should be able to log in to our servers as usual.