Do not delete Escrowed keys if a host disk is encrypted

[sharon-fdm]

Goal

User story
As an admin for my org,
I want escrowed disk encryption keys not to be deleted as long as the host is still encrypted,
so that I can recover the key if needed.

Key result

When hosts are moved to a team that has disk encryption off, if an escrow key exists it will be deleted. This behaviour should be changed. As long as the host is encrypted, do not delete the key.

Original requests

Context

• Product designer: _____

Changes

Product

• [ ] UI changes: TODO
• [ ] CLI (fleetctl) usage changes: TODO
• [ ] YAML changes: TODO
• [ ] REST API changes: TODO
• [ ] Fleet's agent (fleetd) changes: TODO
• [ ] Activity changes: TODO
• [ ] Permissions changes: TODO
• [ ] Changes to paid features or tiers: TODO
• [ ] Other reference documentation changes: TODO
• [ ] Once shipped, requester has been notified
• [ ] Once shipped, dogfooding issue has been filed

Engineering

• [ ] Feature guide changes: TODO
• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[sharon-fdm]

@noahtalerman, I assigned to you to see if you have specific requirements.