Make a minimal Debian Template and just do this: SSH client with KeePassXC based on a minimal Debian template - #18 by whoami
You will have a:
- Dedicated AppVM / TemplateVM for KeepassXC (without network connection)
- (reasonable) Secure database (optionally + Yubikey CR) for passwords and OTPs
- Secure split-SSH (keys are stored within your KeepassXC database file)
- Optionally split-GPG (outside KeepassXC but within your vault VM)