[RFC] Encrypt plan artifacts at rest

Currently plan files persisted in workplace artifacts in GitHub are not encrypted (see #817). This is a security concern because plan artifacts contain a snapshot of state, which can contain sensitive data like private keys.

Proposed solution: encrypt plan artifacts at rest

Store encryption key as DIGGER_PLAN_ARTIFACT_ENCRYPTION_KEY secret in Github Secrets
When plan artifacts are uploaded in plan_storage.go, encrypt the contents of the file with AES-256, smth like this: gpg --cipher-algo AES256 --symmetric filename.tar.gz. Using zip password is not a good idea because it uses a weak cipher.

Open questions

Do we need to rotate the encryption key? Github Secrets don't seem to have any method for that. We might want to instead integrate with a secret manager like Vault or Infisical.
Is there a "standard" way to encrypt workplace artifacts in GitHub? My initial search didn't yield any, but encryption of build artifacts in Actions at rest is hardly a niche problem, so there probably is a somewhat-standard solution

Other solutions considered

Remove state representation from the plan artifact

Suggested by one of the users; unfortunately it doesn't look feasible because a snapshot of existing state is an integral part of the plan. The purpose of the plan artifact is to capture the state at the time of plan artifact creation, plus the diff on top. This way if the state has moved on since the plan artifact was created and now contains changes that are not compatible with the plan artifact, Terraform is able to compare actual state with the plan time state. See state representation in the Terraform internals docs.

diggerhq / digger