switch SSH keys to ed25519, encrypt with hardware serial instead of DongleId

- Generate new ed25519 keypair (replaces old RSA keys)
- Encrypt with device serial from /proc/cmdline (always available, no manager needed)
- Update decrypt/encrypt tools and provision.sh to use serial
- Remove dependency on DongleId param for SSH key provisioning

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

system/clearpilot/tools/decrypt

@@ -10,8 +10,11 @@ fi
 src="$1"
 dest="$2"
 
-# Read DongleId for decryption key
-dongle_id=/data/params/d/DongleId
+# Use hardware serial as decryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
+keyfile=$(mktemp)
+echo -n "$serial" > "$keyfile"
 
 # Decrypt the file
-cat "$src" | ccrypt -d -k "$dongle_id" > "$dest"
+cat "$src" | ccrypt -d -k "$keyfile" > "$dest"
+rm -f "$keyfile"