We store all keys that do not required automated access on Yubikey with the option that requires a physical touch per use.

Usage includes SSH authentication, file encryption (backups and exchanges), git commit signatures and password/secret storage using `pass`.

Copies of the offline master keys keys are stored on flash in safes onsite and offsite in bank vaults, and sub-keys are valid for one year.

We use Hashicorp's Vault for secrets that require automated access.