Document recommended practices for private key storage
Supported options are unencrypted private key file, and public keyfile + access to private key via ssh-agent. When using ssh-agent, one could use ssh-add with an encrypted private key file, or some hardware key, e.g., a yubikey or tillitis key.
EDIT: concretly, we will need to hash this out for YubiHSM(s). And document the entire key management process that we're recommending the Sigsum project to use. Hopefully it will also be useful for others.
Aim: the same YubiHSM setup we do for log-go, we can also use for our witness later on.
Edited by Rasmus Dahlberg