I've got the same setup with subkeys per Yubikey (though I had to rotate due to Infineon).
What do you mean by "device keys"? Something like forward secrecy keys for initial session setup as used by e.g. Signal? This could be done with some effort... actually Rust OpenPGP library Sequoia developers already work on making this use case easier.
Another set of patches circulating on the ML adds support for TPM bound keys, that are non extractable.
What do you mean by "device keys"? Something like forward secrecy keys for initial session setup as used by e.g. Signal? This could be done with some effort... actually Rust OpenPGP library Sequoia developers already work on making this use case easier.
Another set of patches circulating on the ML adds support for TPM bound keys, that are non extractable.