I'd also like this guide! I can't contribute a lot toward writing it, but the YubiKey NEO might be a valuable component for key management: http://www.yubico.com/products/yubikey-hardware/yubikey-neo/ In addition to standard YubiKey capabilities (OTP & static passwords), it's an OpenPGP smartcard. What I've seen suggests it should be possible to use it as a hardware token for both PGP encryption/signing and SSH authentication.