RAUC supports encryption: https://rauc.readthedocs.io/en/latest/advanced.html#bundle-encryption This is great.
Currently, the whole manifest is encrypted https://rauc.readthedocs.io/en/latest/reference.html?highlight=manifest#sec-ref-formats
It would be nice to encrypt only the symmetric key used to (de)crypt the payload.  That would leave the meta-data (Compatible targets, Version, Description, Signature, ...) in clear, allowing tools to manage the bundle without requiring the key.