KVM supports emulated TPM2 hardware and the version in Bullseye gains the ability to encrypt its secrets [0]. tpm2-pk11 [1] is a program that allows protecting OpenSSH and firefox private keys using the TPM. If the package finds a new upstream maintainer we can test it in Debian stable-next with the virtual TPM hardware.
Debian maintainers will move to tpm2-pkcs11 [3]
[0] http://forums.whonix.org/t/kvm-virtual-tpm-aka-the-universal-smartcard/8244
[1] https://github.com/irtimmer/tpm2-pk11
[2] https://github.com/irtimmer/tpm2-pk11/wiki
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941951#10
EDIT:
The above package depends on gnupg-pkcs11-scd which is available in Debian.
https://packages.debian.org/source/stable/gnupg-pkcs11-scd
https://packages.debian.org/buster/simple-tpm-pk11
only works for TPM 1.2
Opened a RFP for this package which fulfills this ticket in case someone upstream picks it up. https://bugs.debian.org/941951
The upstream TPM2 project is looking at consolidating the multiple code projects out there into an upstream implementation superseding the projects above.