Key replication with hardware token key wrapping

[saper]

This is a proposal to fix the problem described in #771 in a different way:

• Provide support for crypto tokens (such as the https://smartcard-hsm.com/) family, that are able to wrap and unwrap the keys safely.
• This way, the user could replicate the primary key onto multiple devices easily, without having to extract the key.

Rough steps (maybe this is a project):

• Update GnuPG to 2.3.+ update GnuPG and friends to 2.4.0 #1350
• Better, universal token recognition (USB IDs, followed by Answer to Reset for smartcard-like tokens)
• Token recognition and initialization is very slow. Get rid of scdaemon internal CCID mode and let pcscd do the job? (This is unrelated to CCID, kexec-sign-config needs to be fixed - Hash operations should leave some feedback on progress #1369).
• Re-think "screenscrapping" of gpg. Rough idea: gpg-connect-agent directly to the gpg agent, is gpg itself getting a decent Assuan server? https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git
• Fight scdaemon to get better control of the crypto hardware. Consider using the evil https://github.com/alonbl/gnupg-pkcs11-scd/
• Create key domains on https://smardcard-hsm.com/ on initialization. Implement DKEK support to wrap/unwrap GPG keys and replicate them.
• Key wrapping with AES for other tokens?