I'm trying to weigh my options for a personal HSM. I wish to store both passwords and private PGP keys. I've been doing my research but I'm not a security expert and am feeling slightly overwhelmed; please educate me.
This project uses Yubikey 4 with passwordstore. Yubikey seems trusted by consumers despite having closed source firmware, but I'm still skeptical since I cannot find any audits of (or known vulnerabilities in) the firmware. I do like the touch-based auth feature.
Nitrokey is completely open source unlike Yubikey 4, but more expensive, and I wonder if it would be significantly more secure to have FIPS 140-2 validation (tamper-proof is attractive.)
Putting a passwordstore and private PGP keys on a FIPS 140-2 validated USB drive would probably be the easiest to back up (given a second encrypted drive), but this isn't an HSM at all.
Perhaps GNUK could be useful, but I don't want to build a HSM from scratch.
Finally, this page suggests Yubikey/Nitrokey might not be as secure as they advertise.
Having read my concerns, are any of these options flawed, and is anyone of them clearly optimal / 'most secure'? Feel free to suggest alternative ideas.