How should I manage a secure, personal ssh key?

I need to have a personal ssh key such that:

• I can back up a single file containing my private key, and restore it when I do a new install.
• The private key is never stored in unencrypted form anywhere, including in the file that I back up and restore, but with the necessary exception of my RAM while I am using it.
• Someone with physical access to my machine cannot necessarily use my private key. I should be required to enter a password before it will work, preferably the password to my user account.
• It is not necessary to back up the public key. I should be able to generate that from the private key (but may need sufficient information to decrypt it).

I know that there are a lot of resources explaining how to use ssh key management tools. However, I find them quite complex, and I have proven unable to save my private key when doing new installs in the past. So I would much rather hear some best practices from someone with experience doing exactly what I want to do.

Going through your points:

• When you generate a SSH key, it's stored in ~/.ssh/ as id_rsa (or id_dsa). You can move this from machine to machine as you wish.

• You can ensure its encryption by encrypting /home/. There are several sets of instructions on how to do this around the internet but (having never done this myself) I can't honestly suggest one over another. The one on UbuntuForums seems as good as any other. Doing this on a fresh install is easier (you can do it in the installer) but it's not required.

• When you generate your keypair, make sure you set a passphrase. This means that even if somebody gets your private key, they still need that token to use it.

• ssh-keygen -e will generate your public key hash from your private key. Do yes, you don't need to back that up (although it wouldn't be hard to do either - it's stored as ~/.ssh/id_rsa.pub).