Investigate transition path from pycryptodome to pyca/cryptography

[eloquence]

Per #3399 we'd like to switch from pycryptodome to pyca/cryptography for security reasons. However, our use of Ubuntu Trusty combined with the required dependencies may make it difficult to install the most recent version. The task here is to enumerate and select an installation strategy so that we can use a version of pyca/cryptopgraphy with no known security issues we can migrate to. This will unblock further work on #3400.

[redshiftzero]

The failure installing the latest version of pyca/cryptography is due to an old version of setuptools. It requires version 18.5 or later.

It is not recommended to install a newer version of setuptools via pip as that is unsafe, due to potential conflicts with the system install of setuptools (relevant: #3407).

python-setuptools in Trusty is on version 3.3. python-setuptools in Xenial is on version 20.7 (i.e. greater than the required 18.5), so if we were running on Xenial we wouldn't have this setuptools issue.

However, we can sidestep this issue by installing a slightly earlier version - 2.0.3 - of pyca/cryptography. Since our non-gpg crypto functionality is limited, it does not appear that the functionality we actually need changed in significant ways between 2.0.3 and present.

Currently testing this in branch cryptography-2.0.3

[redshiftzero]

The cryptography-2.0.3 branch installs without issue in staging VMs, so closing this ticket. Will followup on the actual diff in #3399 and the corresponding PR