'sq encrypt' should have an option to reencrypt an encrypted message. This would decrypt the session key and add *or* replace PKESK/SKESK packets. If this is inconvenient to do using the current low-level API, then appropriate convenience functions should be added. Note: if the encrypted part is signed, this would break the signatures. This condition should be detected and handled. Note: this is not about upgrading the symmetric encryption, e.g., changing a message to use an AEAD instead of a SED packet.