[Cells 1.0] Setup for `ActiveRecord::Encryption` framework

Goal

According to https://guides.rubyonrails.org/active_record_encryption.html#setup, we need to set up 3 new keys programmatically since we don't want to switch to the encrypted-credentials file.

We'll add these secrets to config/secrets.yml instead, and set them in config.active_record.encryption:

config.active_record.encryption.primary_key = <value from config/secrets.yml>
config.active_record.encryption.deterministic_key = <value from config/secrets.yml>
config.active_record.encryption.key_derivation_salt = <value from config/secrets.yml>

The secrets are generated with SecureRandom.alphanumeric(32) in Rails: https://github.com/rails/rails/blob/7-1-stable/activerecord/lib/active_record/railties/databases.rake#L533-L545

Note that we shouldn't store these secrets in Rails.application.credentials as it shouldn't be required (ideally).

Support in Omnibus and Charts will need to be added as well.

Estimate

3 backend engineer days. Details:

It should be fairly straightforward and should take 1 day for the Rails part, and 1-2 days to add support to Omnibus and Charts.

Resources

• Previous work: #26243 (comment 1474177720) / Draft: Initialize ActiveRecord encryption keys (!127186 - closed) • Albert • 16.3
• Migrate attr_encrypted to Rails 7 Active Record encrypts
• Migrate from attr_encrypted to ActiveRecordEncryption
• Active Record Encryption - Rotating Keys