openssl genrsa -out root.key
I do not encrypt it because I will use this key only to build a certificates chain of trust for my workstation.
openssl.org/docs/man1.1.1/man1/openssl-genrsa.html
To encrypt the key, you can add the -des3 option:
-aes128,-aes192,-aes256,-aria128,-aria192,-aria256,-camellia128,-camellia192,-camellia256,-des,-des3,-idea
These options encrypt the private key with specified cipher before outputting it. If none of these options is specified no encryption is used. If encryption is used a pass phrase is prompted for if it is not supplied via the -passout argument.