The linux kernel (6.1 aka bookworm) provides a key retention service / keyring that allows safely storing and using keys.
We should track the evolution of the service as it could be pretty interesting for some use cases: acme-chief + cp servers. Sadly right now it doesn't support ECDSA so usage on cp servers is out of the question (yet).
links: