This is no-secret that we can use both Ledger and Trezor in Brave.
But there’s a case to be made for using Yubikey OpenPGP applet for the purpose of encryption-at-rest of the initially “software”-managed keys, which would be a one step beyond naïve password protection currently employed by the vast majority of Brave Wallet users.
Brave Browser is uniquely positioned to employ libgnupg— the state of the art cryptographic package— to leverage Yubikey Series 5 and Yubikey HSM secure applet capability. With Yubikey the private key does not leave the stick. Any cryptographic operations which need the private key are executed on the Yubikey itself. This is the same concept you have with other kinds of smartcards.
Contrary to an encrypted USB stick the private key is thus never accessible on the computer. If an attacker has compromised the system he can at most trick you into signing something you don’t want with Yubikey plugged in. But with the encrypted USB stick mounted the attacker can actually steal your private key and thus use it whenever he wants even outside of your system.
There’s only one slot for A-capability PGP key in Yubikey 5, but their HSM 2s can store as much as twenty-five, or so quite comfortably. However, there’s also a E-capability (Encryption) slot which can be used to encrypt arbitrary data such as non-supported key material which would later be used to sign in software, yet at no point Brave would actually require a password to be entered.
I feel like this is an avenue worth pursuing.
We use Yubikeys extensively in the charity where I work, and although much of what we do is based off multisig, nothing can prevent me from using my individual key seperately in Web3 interactions.