It is extremely insecure to store the private key unencrypted on the hard disk, because any program or user with access rights will be able to extract and copy it, so the GPG program allows you to set a passphrase to protect (encrypt) your private key. Even if it is encrypted with a passphrase, the private key is not safe because it needs to be decrypted and stored in memory when performing private key operations. At this time, if the memory is dumped, the private key may still be exposed.
So there is another solution: a hardware security module, a device that can store private keys and perform decryption and signature operations. By generating or storing the private key in the HSM, any decryption and signature will not cause the private key to leave the HSM, only the information to be processed and processed information will enter and exit the HSM, and the private key itself cannot be leaked. The HSM itself uses methods, such as PINs, to identify users, and some security keys also have touch authentication to prevent remote attacks.
OnlyKey can be used as an HSM device. The difference from other devices is that it provides encrypted backup and allows private keys to be exported, while still protected by PIN.