GCPPrivateKeyStoreis backed by Firestore in Datastore mode, with the private key field encrypted at rest with GCP KMS. Operators are responsible for the provisioning of the KMS key, so that they can choose the key type (e.g., software, HSM). We wish we could've just stored the private key in KMS, but PKI.js doesn't fully support that yet.