[eximius]

I actually wish there was an in-between model that supported key extraction.

Let me store my key in a secure, offline, physical device... and extract to clone it when my yubikey is worryingly old.

My threat model does not include physical attacks, but storage of a key on-device or in backups? Or forgetting a password for an encrypted archive? yep.

[Too]

Yubihsm can do that. Not sure about yubikey. It’s called export wrapped. Here wrapped means the export is encrypted by another key first. The only catch (feature) is that the key must be created with this capability on its initial creation, you can’t export a key that disallows exporting.

[nevermindiguess]

https://pistonvault.com

[csw-001]

The robot arm part of this reminds me so much of StorageTek’s tape drive robots. Man those were so cool to watch wizzing around in their giant tubes grabbing and loading tape drives on demand.