> by the looks of it, would still be putting the key in the store, which > is insecure.
That's correct. I think you should look at how the ssh service or the wireguard service manages its keys. IIRC, they do so by generating a new key during /activation/ of the system.
signature.asc
Description: PGP signature
