This works fairly well when you are using it for 1 or 2 services. But if I use this hardware device for every service I use creating a new device would be a month long process, and missing one service could result in lock-out.
I do the same with my PGP key. I keep the "original" key offline and securely stored but I clone the key into my HSMs. That way the devices I use daily and frequently carry around can't be cloned and have strong brute-force protection (although malware could use my key while the device is compromised) and I can still "mint" new hardware devices without updating my PGP key everywhere and worrying about re-encrypting all old data that I still need.
This is definitely less secure than using keys generated on hardware devices but for most of my usecases this tradeoff makes more sense.
I do the same with my PGP key. I keep the "original" key offline and securely stored but I clone the key into my HSMs. That way the devices I use daily and frequently carry around can't be cloned and have strong brute-force protection (although malware could use my key while the device is compromised) and I can still "mint" new hardware devices without updating my PGP key everywhere and worrying about re-encrypting all old data that I still need.
This is definitely less secure than using keys generated on hardware devices but for most of my usecases this tradeoff makes more sense.