> by the looks of it, would still be putting the key in the store, which
> is insecure.

That's correct. I think you should look at how the ssh service or the
wireguard service manages its keys. IIRC, they do so by generating a new
key during /activation/ of the system.