I agree, for serious secrets you should have something physical involved.
I spent a bit of time exploring some mechanism to encrypt files on disk and require a yubikey press to decrypt them transparently for the process requesting access, but I didn't really come up with a solution I liked. The idea there would be you're prompted "/usr/bin/safe wants to access secret.key, but it is marked as sensitive, decrypt and allow?". The notification part would be easy with fanotify but it wasn't entirely clear to me the best way to perform the decryption. I think storing the secret on a FUSE file system could work? Things like https://github.com/rfjakob/gocryptfs come to mind
Yes you can
-send-sigstopto SIGSTOP the process and then do whatever you'd like on your-on-touched-exesuch as attach via ptrace, dump all memory, etc. My current one will send a notification and dump the memory of the offending process.Definitely pay attention to the warning about running this on a server. With a KVM attached in a home lab you should be able to easily recover I guess. I think you could also set yourself up a little UDP service to SIGUSR1 the daemon since incoming packets are not dropped, but I haven't tested that.
[Note: intelligent malware can handle the SIGSTOP fairly easily. You could try to move the process to a new cgroup and then freeze the cgroup, as well, but there is a lot to consider here obviously]