Are passkeys actually hardware keys or are they just reversibly encrypted keys secured by a hardware key?

Passkeys have this complicated QR code + Bluetooth dance to enroll a new device which seems like it ought to be securely creating a key on the device in a TPM.

However the messaging around "sync" seems to suggest that while that is happening, the device key is only used to encrypt a software key which is encrypted and synced to (Google, Amazon, Microsoft's) servers.

It seems like it would be more secure to have a key per-device and not bother with "sync" as a feature. But maybe "sync" doesn't mean what it sounds like, am I misunderstanding?

TLDR:They're private keys kept in a secure device. Whether in software or hardware is implementation dependent but the big vendors (Apple,Google) are probably storing them to be accessible only to a hardware enclave (EG:Trustzone,Apple secure enclave, Google titan) but also synced to the cloud and across devices (Google password manager/iCloud keychain)

Bluetooth pairing involving a QR code between (EG:laptop and smatphone) lets the laptop use passkeys stored on the phone and has nothing to do with key generation of individual passkeys.

Passkeys are "FIDO credential"

(Note that some companies are calling FIDO credentials “passkeys”³ in their product implementations

FIDO credentials are a public/private keypair (unique key pair per website). Public gets shared with your bank or similar, you keep the private key to yourself. When authenticating you do some protocol to prove posession of the private key (webauthn).

There's two use cases, the first is having the credential on the device for local use.

Google:

On Chrome on Android, passkeys are stored in the Google Password Manager, which synchronizes passkeys between the user's Android devices that are signed into the same Google account.

Apple is doing something similar with iCloud key-chain.

Credentials synchronise across devices so losing a device isn't catastrophic. Root of trust becomes your Google or Apple account.

Bluetooth?

The second use case, is to address phishing.

Traditional TOTP tokens and SMS 2FA are phishable, dumb users will happily put their password and numeric 2nd factor numeric code into an attackers "definitely-bank.com" website.

Bluetooth pairing allows your non-passkey storing device to use passkeys stored on your smartphone. There's some encryption and authentication involved initially to pair the (laptop/desktop/whatever) to your phone, thus the QR code thing. The point being to give the device access to your phone's stored passkeys. The passkeys can't be phished which is the claimed improvement over traditional TOTP/SMS 2FA.

Note that your phone will probably ask for authentication when passkeys are used so use of the passkey is vouching for possession of your phone and pin/biometrics (security setting dependent).