Add Crypto/HSM Master and Wrapped Project KEK Rotation and Migration Support

Currently Barbican has no means to migrate secrets encrypted with a crypto/HSM-style plugin to a new master key encryption key (MKEK) and its associated wrapped project KEKs. This blueprint proposes adding a new Barbican service process that supports completing the rotation of secrets to a new master key encryption key (MKEK) and a new wrapped project KEK. This process would be started after deployers, out of band: (1) generate new MKEK and HMAC signing keys with a binding to new labels, and then (2) replicate these keys to other HSMs that may be in the high availability (HA) group, and then (3) update Barbican's config file to reference these new labels, and finally (4) restart the Barbican nodes. The proposed process would then migrate secrets from encryption via the old keys to encryption via the new ones.