support for unencrypted keys

In order to support SSO, we are probably going to use a 'key daemon' that keeps a temporary copy of unencrypted keys.

It would work like this:

1. user logs into SSO identity provider (account.riseup.net), gets a ticket
2. identify provider unlocks the user's encrypted storage key, keeps in a key daemon
3. user presents ticket to email server
4. email service authenticates to a local auth daemon.
5. this auth daemon checks the key daemon. if it is given a password, it returns encrypted key. if it is given a valid ticket, it returns unencrypted key.

So, in preparation for this, TREES should do this:

• Before we try to unlock a private key, check to see if it is already unlocked. If it is, then just use it as-is.