encrypt email renew token?

[tomholub]

dependent on #2546

setting up:

1. when first setting up, before a pass phrase was chosen, unencrypted access tokens only go in session, not in permanent storage
2. then during setup, once pass phrase is known, encrypt them with pass phrase. Can use a separate storage index like google_token_renew_encrypted (storage) and google_token_access_plain (session).

retrieving access token:

1. check google_token_access_plain session storage, grab token from there if exists
2. check legacy google_token_access local storage
3. check legacy google_token_renew local storage
4. attempt to decrypt google_token_renew_encrypted local storage if pass phrase present (else throw / show modal - this is a difficult point because this may actually be executed in the background? - gets complicated)

If it was not encrypted, encrypt it with the pass phrase and store
If pass phrase not present, show dialog

---

note - this is just a draft.

The actual security concern may be alleviated by implementing #2558 if implemented reliably, because while the user is logged in, attacker can retrieve another set of access tokens anyway (or just copy browser cookies). -> did not work