When converting the private key to pem format with toBuffer(), it is not encrypted even if a passphrase is specified with WriteOptions. In ssh format, WriteOptions seems to be reflected and can be encrypted.

Looking at the source code, it seems like a natural behavior because there is no particular reference to WriteOptions in toBuffer("pem"...).

WriteOptions is not described in the toBuffer() part of the README, so it may not be included in the specification, but it would be helpful if it could be encrypted.