Hi there,
Yes, you’re on the right track! The Secure Bootloader is pre-programmed with the key (or derived key) that matches the one used to encrypt the firmware on the PC. So, when the firmware update is sent to the device, the bootloader can decrypt it.
But let’s clarify one thing:
Yes, if the same key is used across 100 devices, all those devices will be able to decrypt the firmware.
However, a more secure approach is to use a unique key for each device (Device-specific keys). This can be achieved using a Device Unique Key (DUK) that is derived from a master key and a device-specific identifier.
Nordic’s nRF52840 supports mechanisms to secure keys in protected areas, and you can implement solutions where the key is only accessible by the bootloader.
For the best security, you would:
- Provision each device with its own unique key during manufacturing. there are flash locations you can have pre programmed, or do it with your own algorithms.
- Use a key derivation process to generate per-device keys if using a shared master key.
- Implement Secure Boot to ensure firmware authenticity and integrity.
I’ll post an MCUBoot Image soon for Xiao and folks can play with different methods of DFU and Security levels. 
GL 
PJ 