I’m kind of in the same boat, I like the convenience of syncing with my mobile devices, but I’m concerned about the exposure of my password store, because as time passes even if I change my passphrase old “versions” of my store may be brute forced as compute power increases and quantum computing becomes more accessible.
One of the things I’ve been using recently is
gopass a rewrite of the “classic” pass unix password manager in Go. It has some awesome features like password generation and some ability to do TOTP codes, and uses GPG and Git as the storage mechanism, making it far easier to move around without less fear of exposing secrets, and rather than one store that once “cracked” essentially gives access to all the secrets, each secret is separately encrypted to your GPG key so you can rotate individual secrets without exposing your whole store to a timing attack (unless you re-encrypt everything to add a new recipient, but that is probably far less common on personal stores than if you are using it for collaboration at work).
My hope would be to see if I can set up my GPG key to be provided by the Nitrokey and the password store to live on the Nitrokey in the encrypted space, so unless they had access to my machine at the same time that I have the volume mounted and my GPG key loaded they won’t get anything, and even then they would have to hope I didn’t have the gpg-agent set up to prompt for my pin after a minute or two.