You can password protect your key file so that ed an extra password is needed to connect with openvpn. It will also work with embedded certificates in .ovpn
Run the following to add a password to your existing keyfile.
openssl rsa -aes256 -in your.key -out your.encrypted.key
A password protected file looks almost the same as an normal private key. but includes what type of encryption the file has been given.
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,EE27A0FAB676201D1330339B91C620B4 .... -----END RSA PRIVATE KEY-----