Encrypt ExternalService config before writing to the DB

Created by: arussellsaw

dependencies: #18053 (closed) #18058 (closed)

Now that we have decryption working we want to encrypt before writing to the database, and we should probably do this in the DB package. I don't feel great about introducing this dependency inside the db package as i feel like it makes testing harder, and also introduces further global state issues, unless we pass it around everywhere... but i think the tradeoffs are worthwhile against the alternatives.

alternative considered:

I thought about doing the encryption in an ExternalService.SetConfig(cfg string) method, but that is risky, as we'd still need the field to be exported in order to marshal into, so people might accidentally write directly into this field, resulting in unencrypted data in the database. if you find a way to do this, and make the Config field unexported, i think we should do that instead