KVM supports emulated TPM2 hardware and the version in Bullseye gains the ability to encrypt its secrets . tpm2-pk11  is a program that allows protecting OpenSSH and firefox private keys using the TPM. If the package finds a new upstream maintainer we can test it in Debian stable-next with the virtual TPM hardware.
Debian maintainers will move to tpm2-pkcs11 
The above package depends on gnupg-pkcs11-scd which is available in Debian.
only works for TPM 1.2
Opened a RFP for this package which fulfills this ticket in case someone upstream picks it up. https://bugs.debian.org/941951
The upstream TPM2 project is looking at consolidating the multiple code projects out there into an upstream implementation superseding the projects above.