Is it possible to separate key management service from the node itself? The one might consider to split up these services for reducing security risks. Probably handling keys in a secure vault (e.g Intel SGX, ARM TPM, etc) is a proper solution for the same problem, but still it requires significant amount of work (and that is not implemented so far, right?)
Currently we have SDKs that can generate keys by themselves offline or airgapped, aglokey can generate stand alone keys as well and many of the goal commands will work offline.