For people using 1Password you can get it to act as an agent to lookup keys directly in your vaults. Again, great integration on a Mac where you can use your fingerprint each time the key is required.
I've been hacking on `ssh-tpm-agent` which allows you to create or import TPM sealed keys. This is practical as it prevents key extraction and it has dictionary attack protection which allows you to have 4 digit pins instead of passphrases to protect your private keys.
I used to use an easily memorizable password, but you said that was wrong, and set me straight. Now my password is so complex, I have to rely upon a 3rd party service, that keeps getting hacked.
Then you insisted I use keys. After, you became irate if I left the keys on my work dir.
Now you want me to lug
around a 2U HSM appliance?!
> Now you want me to lug around a 2U HSM appliance?!
If you don't need a certified HSM that generates keys on device (and you don't, right? You can generate keys on a ramdisk from live media with no persistence and no/encrypted swap), you can use basically any PGP smartcard, including nice little USB ones like Yubikey and NitroKey. And even if you do you can get a little USB HSM.