diff --git a/internal/controller/gitrepository_controller.go b/internal/controller/gitrepository_controller.go
index cf36de22c..29719bf3d 100644
--- a/internal/controller/gitrepository_controller.go
+++ b/internal/controller/gitrepository_controller.go
@@ -33,6 +33,7 @@ import (
 	"github.com/fluxcd/pkg/runtime/logger"
 	"github.com/fluxcd/pkg/runtime/secrets"
 	"github.com/go-git/go-git/v5/plumbing/transport"
+	ssh "golang.org/x/crypto/ssh"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -651,6 +652,22 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 		return nil, e
 	}
 
+	// Check if SSH identity key is encrypted but no password was provided.
+	if opts.Transport == git.SSH && len(opts.Identity) > 0 && opts.Password == "" {
+		if _, err := ssh.ParseRawPrivateKey(opts.Identity); err != nil {
+			var missingErr *ssh.PassphraseMissingError
+			if errors.As(err, &missingErr) {
+				e := serror.NewGeneric(
+					fmt.Errorf("SSH identity key is encrypted but no 'password' field was provided in the secret '%s/%s'",
+						obj.GetNamespace(), obj.Spec.SecretRef.Name),
+					sourcev1.AuthenticationFailedReason,
+				)
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+				return nil, e
+			}
+		}
+	}
+
 	// Configure provider authentication if specified.
 	var getCreds func() (*authutils.GitCredentials, error)
 	switch provider := obj.GetProvider(); provider {