Add a toggle to enable curve encryption for all kernels that support it

[krassowski]

Exposes the proposed functionality from:

• Add ZMQ Curve for transport encryption jupyter/jupyter_client#1110
• Support ZMQ Curve for transport encryption ipython/ipykernel#1515

To test:

1. Install ipykernel with PR 1515 and execute

   python -m ipykernel install --name zmq-encrypted --display-name 'ZMQ Encryption' --user

2. Run jupyter-server with:

   jupyter lab --KernelManager.transport_encryption 'required'

3. See that for kernels without encryption we get:
   
4. See that encrypted kernels work ok:
   

[krassowski]

In principle ready for review; I will follow with an end-to-end test, either here or in another PR (i..e once other PRs are merged and released), but beyond more tests I do not plan changes, unless requested in review.

[minrk]

This looks simple and straightforward, nice! I think the only missing piece that we will need to enable this feature on a per-kernel basis. I think it makes sense to have a single flag to enable curve "when available" and may potentially want a case to require it (prohibit unencrypted kernel communication). So:

1. curve disabled
2. curve enabled on supporting kernels (still needs detection of support)
3. curve required (unsupporting kernels cannot be launched)

So we still need a mechanism to detect if kernels support curve (could be a bool kernelspec field).

[ianthomas23]

So we still need a mechanism to detect if kernels support curve (could be a bool kernelspec field).

Perhaps in the supported_features (https://github.com/ipython/ipykernel/blob/912923542d55e6c80c0e7c1f94c648b52a225011/ipykernel/kernelbase.py#L997) from JEP 92?

[krassowski]

Are we thinking that three state string Enum (disabled, enabled, required) is a good choice to expose this? Or do folks prefer two Bools (which is nice but disabled + required does not make sense so should probably raise).

[krassowski]

Wouldn't supported_features be too late? This is emitted via kernel_info_reply but we need to know that before establishing the connection (so at the kernelspec level, the same as the debugger stanza in metadata originally before being moved to supported_features)?

[ianthomas23]

Wouldn't supported_features be too late? This is emitted via kernel_info_reply but we need to know that before establishing the connection (so at the kernelspec level, the same as the debugger stanza in metadata originally before being moved to supported_features)?

Yes, you are correct.

[krassowski]

Added the ability to require encryption in:

• 45d54ac
• jupyter/jupyter_client@44824e5
• ipython/ipykernel@04ec2fe