I agree, for serious secrets you should have something physical involved.

I spent a bit of time exploring some mechanism to encrypt files on disk and require a yubikey press to decrypt them transparently for the process requesting access, but I didn’t really come up with a solution I liked. The idea there would be you’re prompted “/usr/bin/safe wants to access secret.key, but it is marked as sensitive, decrypt and allow?”. The notification part would be easy with fanotify but it wasn’t entirely clear to me the best way to perform the decryption. I think storing the secret on a FUSE file system could work? Things like https://github.com/rfjakob/gocryptfs come to mind