You implement it by putting the key inside a box, and letting that box perform the decryption. No other services/ports allowed. (Except you have to have a way to get the public key out, and allow the box to generate a private key which means it needs entropy). You can pot the box in epoxy for additional security.
So now you have an ultra secure box. It’s like the unsinkable Titanic. Someone (somehow) copies the key, and proceeds to decrypt all your citizens’ communications, but you are 100% that hasn’t happened, because it is, after all, impossible.
Just like it was impossible for the Titanic to sink.