Encrypt user_credentials and batch_changes_site_credentials tables

Created by: eseliger

Pull requests

• #20287 (everything required for user credentials)

Plan

• Add a new key for the batch change key
  • Add the key to the schema
  • Parse it when creating a keyring
  • Sensibly plumb it through the batch changes codebase rather than relying on keyring.Default()
• Encrypt user credentials
  • Add in-band migration to update the table schema
  • Update internal/database to be able to read/write the updated schema
  • Update internal/database tests to test the new functions and ensure the check constraint works as expected
  • Update the existing SSH migration
  • Update the existing SSH migration's tests
  • Patch up the places where we currently access UserCredential.Credential directly
  • Add OOB migration
• Encrypt site credentials (this will get a sublist much like the user credential one)
  • Add in-band migration to update the table schema
  • Update internal/database to be able to read/write the updated schema
  • Update internal/database tests to test the new functions and ensure the check constraint works as expected
  • Patch up the places where we currently access the authenticator directly
  • Add OOB migration
• Testing
• Documentation