Agent refactor: the agent should decrypt, rather than sending the unwrapped key #652
Description
I've been meaning to do this for a while: there's no reason for the unwrapped key to be spread across both the client and the agent. The agent should instead hold onto it, and service requests from the client to perform decryption.
The main "pro" here is isolation of concerns. The main "con" is that it'll probably be slightly slower (especially for lots of decryptions in a row), but probably not distinguishable for the average use case.
This will require a protocol breakage on the agent side as well.