If you maintain the OpenVPN server, you can generate keys that require a password to be used. The technique is described at http://openvpn.net/index.php/open-source/documentation/howto.html#pki.
Scroll to the section titled Generate certificates & keys for 3 clients. You will want to use the
build-key-pass script to generate a password-protected key. This will prevent your key from being used maliciously if your phone falls into the wrong hands, though I am not entirely sure if CM 7's OpenVPN implementation supports it.
If you don't have the ability to use
build-key-pass to generate and register your own keys, then there is really no practical way to ensure the safety of your key without full-device encryption.