First, let's generate a strong passphrase to protect the private key. As we are being git driven we do this inside our environment repo:
# ensure that we don't accidentally publish the passphrase to the key
echo passphrase >> .gitignore
git add .gitignore
git commit -m "ignore passphrase"
# generate a random passphrase