A keys.ProtoHandler and associated protobuf message should be defined to support private keys stored in Google Cloud KMS. This would provide more secure storage for tree private keys than storing them in an encrypted file on the server or as plain text in the database. See https://cloud.google.com/kms/docs/create-validate-signatures for information on integrating with Google Cloud KMS.

@gdbelvin recommends using tink.