No, I meant the client private key that gcloud uses to authenticate itself (on your behalf) to Google's servers, not you to your servers. That wouldn't be an SSH key, probably TLS or hand-rolled crypto.

----

Also, now that you mention it, even if I encrypted the generated SSH key, wouldn't running a `gcloud ...` command again just ... re-generate the key, in unencrypted form?

Sorry, I should clarify: The client key is used in our corporate login.

When I log in to `gcloud`, that goes through our corporate login. Corporate login uses a client certificate and two-step.