I have not been able to use ssh-keygen -e to reliably generate a private key for SSH in PEM format. This format is sometimes used by commercial products. Instead, I had to convert the key using openssl.
# generate an RSA key of size 2048 bits
ssh-keygen -t rsa -b 2048 -f azure -C 'azure-dev'
# copy key to x.x.x.x and add to authorized_keys
# convert private key to PEM format
openssl rsa -in azure -outform PEM -out azure.pem
chmod 700 azure.pem
# test key
ssh -i ./azure.pem [email protected] -p 22
# add a passphrase
ssh-keygen -p -f azure.pem
# does it have a passphrase
ssh-keygen -y -f azure.pem
# test key, now with passphrase
ssh -i ./azure.pem [email protected] -p 22