Newer puppet versions won't fall back to PSON anymore if there is
binary data within the catalog (option main/allow_pson_serialization
is set to false by default).

The proper way to handle binary data seems to be to use `binary_file`
to get binary data into the catalog.
For an onion service both public and secret key are binary data.

Additionally, if we did not make the public key a `Sensitive` type
as well this still made the public key file flip on every run, since
a tor restart seem to have slightly changed it. Wrapping it as
`Sensitive` did not have that effect.