Ken Keys:
If the tor process is going to use the key, at some point the unencrypted key has to be visible to the machine running it. You would in any case have to trust the machine hosting the tor node. A more secure setup would be to run the tor node inside an encrypted VM and use your smartcard/dongle/whatever to unlock the VM.
The point is that one can't[*] extract a private key from a smartcard and because of that even if machine is compromised your private key stays safe.
[*] Not so easy, but possible.