https://developer.chrome.com/extensions/enterprise_platformKeys exposes an API for manipulating ChromeOS key stores, such as the 'user' and 'system' tokens. Keys generated will be backed in the 'private' slot - aka Chaps - and stored in the TPM.

This can cause performance considerations, depending on the key use, so this is an Enterprise feature request to support provisioning explicitly software-backed keys (that is, keys that are wrapped with TPM-protected secrets, but whose algorithms are implemented in userland, rather than the TPM)