As an update to this topic, here the current state:
The setup file format should also be used to enable serial commissioning. Thus, we only use the password encryption for known secrets like certificate keys or passwords in clear text, but not for the whole contents of the setup file.
You may use another encryption step to password-protect the downloaded zip archive.
... View more