I'd recommend looking into hardware wallets like Trezor for `age` hardware support. Trezor has ed25519 and the class of devices uses a proper secure approach to backup / recovery unlike traditional HSMs. There's also on-device confirmation and deniable passphrases.
Conversation
As a reference, github.com/romanz/trezor- is an implementation of SSH and GPG with support for the TREZOR One, TREZOR Model T, Keepkey, and Ledger Nano S. I'd recommend a TREZOR Model T as the best reference due to supporting the option of on-device passphrase entry.