Instead of safely storing SSH private keys on a Yubikey (if you don’t have one) you might want to keep private keys sealed in TPM.

Here is how to do this on Fedora Linux using https://github.com/Foxboron/ssh-tpm-agent :

$ sudo dnf install openssl-devel
$ go install github.com/foxboron/ssh-tpm-agent/cmd/...@latest

$ ~/go/bin/ssh-tpm-keygen --supported
ecdsa bit lengths: 256 384
rsa bit lengths: 2048

As this TPM supports ECDSA keys with 384 (but not 521) bits, so:

$ ~/go/bin/ssh-tpm-keygen -b 384

You may want use an empty passphrase (here, only). Now let’s activate this TPM SSH agent:

$ ssh-tpm-agent --install-user-units
$ systemctl --user enable --now ssh-tpm-agent.socket

Activate SSH_AUTH_SOCK, e.g. like this .

Transfer ~/.ssh/id_ecdsa.pub to https://github.com/settings/keys , and test it:

$ ssh git@github.com

Voilà!