I have a different pubkey per device. I store all the pubkeys in the pass repo, and have a shell script to re-encrypt everything with those keys. So when I add a new device, I just need to add its pubkey, and then re-encrypt on an existing device.

I use yubikey over nfc with my phone. This way the private key material never reaches the phone.

Using the openkeychain app and password store.

I have multiple yubikeys as target for each password of course.