If I leak your keys once- say, through power analysis, glitching, whatever- I can decrypt everything that has ever been encrypted for that key, and everything that ever will be.
Doesn't it depend on the threat model? If your thread model does not include physical access compromise, then the commodity STM32 approach is quite ok right? At least, in most cases it provides more security than storing the private key on disk.
I do agree that given the low prices of secure elements it is surprising that keys still don't use them. But that may depend on the lower-priced parts not being fit for FIDO2 or OpenPGP (though the Nitrokey FIDO does use an ATECC608A).
Doesn't it depend on the threat model? If your thread model does not include physical access compromise, then the commodity STM32 approach is quite ok right? At least, in most cases it provides more security than storing the private key on disk.
I do agree that given the low prices of secure elements it is surprising that keys still don't use them. But that may depend on the lower-priced parts not being fit for FIDO2 or OpenPGP (though the Nitrokey FIDO does use an ATECC608A).