I think you would need a chip which both
- holds the key, and
- does the crypto internally
Short of that, all you are getting is half the job. The proper solutions still require a physically tamper-proof design (encapsulation, various features to detect tempering, self-erase if attempted, etc). BTW I think most people are designing-out anything from Maxim
For what I am doing, it isn't needed. I just need to piss somebody off for a few days. I am not going to discuss what I am doing in detail but you certainly won't be able to disassemble any OTA update. Unfortunately somebody who is very clever can probably crack a 32F4 in minutes and get the FLASH out, with the right equipment. They will need much more time to work out other aspects of the product, however.
Many years ago, in the days of Z80 etc and EPROMs, I used to jumble up the address and data lines
I had a utility written which jumbled them in reverse for the EPROM programmer. One customer, the usual kind of wide-boy opportunist chancer from a certain country, who used to run the corporate IT business in London in the 1980s, told me he spent days on trying to work out why my EPROMs disassembled to junk and eventually gave up, believing they were "encrypted"
One can also use security selectively. When a new product comes out, the first orders tend to be from competitors, and will never be actually deployed. So you can set Level 2 on those
Same on anything going out to China, etc.