secrets: use base64 and make interface private

Created by: unknwon

This changeset is extracted from #13759 to make it easier to review.

1. Refactored secrets package to do base64 encoding/decoding.
2. Prepend encryption key hash to ciphertext for easier filtering by primary or secondary key.
3. Made encryptor interface to be private because application layer code should just use the exported package-level functions.
4. Changed separator to use $ instead of : because it is going to fail with https://xxx (i.e. external_service_repos.clone_url) (the fact is whatever separator we choose, there is always a chance the plaintext string contains it).

Co-authored-by: Dax McDonald [email protected]