Encrypt and authenticate metadata
The following message is by courtesy of brian m. carlson via security-list:
Third, the metadata that occurs unencrypted in the file is hashed with MD5. Since MD5 is cheap to compute, an attacker can guess to see if the items they want to access are in the keyring without needing to decrypt the data. The keys themselves are also stored unencrypted, which makes it easy to determine which types of objects and how many of each type are stored in the keyring. For example, GnuPG stores a "keygrip" attribute. This violates user privacy and leaks a significant amount of data. All of this data should be stored encrypted. Even storing both keys and values as MACs using a secret key would leak which keys and values are repeated, which in many cases would still leak a significant amount of information.
Fourth, the metadata stored unencrypted is also stored without any sort of integrity check. As a result, an attacker can modify it at will without any detection whatsoever. All data stored in the file, including version numbers, algorithm identifiers, and other structural content, as well as encrypted data, should be protected either by an AEAD encryption algorithm or a strong MAC (such as HMAC with SHA-2, SHA-3, or BLAKE2).
Encrypting metadata as much as possible sounds like a good idea. If we encrypt, then we go for an AEAD cipher and get integrity protection.