AWS and mounted keys both implemented their own version of envelope encryption for secrets. Cloud KMS did not, causing larger payloads to fail encrypting.
This PR adds a standard code path for all the key backends to do envelope encryption. This fixes the size limit issue with KMS and makes the way we encrypt secrets consistent across backends.
Also as a nice side-effect, we now never have to send the actual secret content over the network to encrypt/decrypt it.
To not require any migration of existing data, I implemented fallback mechanisms for the old data formats, so that customers will not need to change anything to get the benefits of the new envelope encryption. Once a value is decrypted and encrypted again (for example, on update), the data is automatically migrated to the new format.
