So much this. Security information should simply never reside on-device in the first place.
replyThat said, I think this is a thing with BitLocker? I remember coming across YubiKeys being able to do this via something called PIV (Personal Identity Verification). Found this guide now after giving it a quick search: https://gist.github.com/daemonhorn/03301a66da7d1f4de6cdc8c8b...
Not sure how sound of a design it is though, didn't dig into it much at all.
With PIV, the private keys are stored inside the smartcard (a Yubikey is just one type of smartcard) and don't leave it. They're used for encryption/decryption by the host.
replyYes, it's generally sound, and is the primary means of authentication and encryption used by the US military for classified systems.
Linux+LUKS enables FIDO2, which uses sha256, meets the requirements of "never leaves the device" and keeps it on a separate device, on a separate secure element.
reply