Ultimately, secrets like keys should not be stored on the file system, for a myriad of reasons, not the least of which you have cited here. However, even given an encrypted artifact, a process like this presumes the secrets are the same for all nodes the artifact is being deployed to; which, second only to no security, is the bane of IoT’s future.
I would much rather see effort in the road map targeting PKCS#11/HSM support - but then Im biased, as all our devices include security chips that we are not yet able to utilize with Mender.
SLR-