Ref T11140. This makes encryption actually work:

• Provide a new configuation option, keyring, for specifying encryption keys.
• One key may be marked as default. This activates AES256 encryption for Files.
• Add bin/files generate-key. This is helps when generating valid encryption keys.
• Add bin/files encode. This changes the storage encoding of a file, and helps test encodings and migrate existing data.
• Add bin/files cycle. This re-encodes the block key with a new master key, if your master key leaks or you're just paraonid.
• Document all these options and behaviors.

• Configured a bad keyring, hit a bunch of different errors.
• Used bin/files generate-key to try to generate bad keys, got appropriate errors ("raw doesn't support keys", etc).
• Used bin/files generate-key to generate an AES256 key.
• Put the new AES256 key into the keyring, without default.
• Uploaded a new file, verified it still uploaded as raw data (no default key yet).
• Used bin/files encode to change a file to ROT13 and back to raw. Verified old data got deleted and new data got stored properly.
• Used bin/files encode --key ... to explicitly convert a file to AES256 with my non-default key.
• Forced a re-encode of an AES256 file, verified the old data was deleted and a new key and IV were generated.
• Used bin/files cycle to try to cycle raw/rot13 files, got errors.
• Used bin/files cycle to cycle AES256 files. Verified metadata changed but file data did not. Verified file data was still decryptable with metadata.
• Ran bin/files cycle --all.
• Ran encode and cycle on chunked files, saw commands fail properly. These commands operate on the underlying data blocks, not the chunk metadata.
• Set key to default, uploaded a file, saw it stored as AES256.
• Read documentation.