@allisonkarlitskaya Thanks for your contribution. Note that much of the trickery here, that is, all solution other than using openssl or your first Python solution, will fail if you work on a read-only filesystem.

Here's a practical example of this for encrypting the ssh key with sops and age in a taskfile:

version: "3"

gen-key:
  desc: Generate encrypted ssh key
  silent: true
  status:
    - test -f ssh.sops.key
  cmds:
    - mkfifo key key.pub
    - defer: rm key key.pub
    - cat key | sops -e /dev/stdin > ssh.sops.key &
    - 'printf "Your public key:\n$(cat key.pub)\n" &'
    - yes | ssh-keygen -t ed25519 -f key > /dev/null

I was working on a script to generate an SSH key pair and store it directly in my vault. I came across this gist and found @mprasil approach very helpful as a starting point.
That said, I ended up implementing it a bit differently. Since I needed to read both the private and public keys after generation, I decided to run the key generation process itself in the background (instead of backgrounding the file reads). Also the contents are read into a variable which you can use elsewhere in the script. Also does the cleanup on exit.
Here's my version of the code - hope it helps someone else!

local COMMENT="Your comment"
local TEMP_DIR=$(mktemp -d)
trap "rm -rf ${TEMP_DIR}" EXIT
local KEY_FILE="${TEMP_DIR}/key"

mkfifo "${KEY_FILE}" "${KEY_FILE}.pub"
(ssh-keygen -t ed25519 -N '' -q -f "${KEY_FILE}" -C "${COMMENT}" <<< y > /dev/null)&
sleep 0.1
PRI_KEY=$(< "${KEY_FILE}")
PUB_KEY=$(< "${KEY_FILE}.pub")