Nico also notes that it would be more efficient and more reliable to use a 
single, well-defined transformation of the password (maybe s2k in the 
master key's enctype?) instead of storing key sets.  That way, password 
history would continue to work in the face of changes in the key enctype.

I'm noting this here because migrating to using the master key would be a 
good opportunity to also change what key transformations are stored.