[RFC] Deprecation of the androidx.security:security-crypto library

[agrahn]

Motivation

The Jetpack security crypto library androidx.security:security-crypto has been deprecated by Google:

https://developer.android.com/privacy-and-security/cryptography#jetpack_security_crypto_library

It defines the EncryptedSharedPreferences and EncryptedFile classes which are used by APS for persistently caching the user-entered PGP key passphrase across APS processes (1), and for storing an APS-generated Ed25519 SSH private key in an encrypted file (if selected by the user during set-up) (2). (1) is a less desirable feature, for security reasons, as it allows a (potentially malicious) user to unlock the PGP secret key for decrypting password store entries by just entering the screen-lock PIN, even after a device restart. Because of this and of the library deprecation, passphrase caching using EncryptedSharedPreferences should be removed. The option of generating Ed25519 SSH private keys should be removed as well from APS as it relies on EncryptedFile to store the private key file in the app.

[agrahn]

Some more credentials are persistently saved between APS processes using EncryptedSharedPreferences which need to be migrated.

[agrahn]

APS still depends on the androidx.security:security-crypto library, making use of the EncryptedFile class for storing Ed25519 SSH private keys.