homed/fscrypt: add new xattr format hardening key sealing (#41816)

The current key sealing format has some less-than-ideal weaknesses:

- PBKDF2 with only 65k iterations, where recommendations are ~200k
- AES with null IV, relying on salt for uniqueness
- lack of AES MAC/AEAD

However improbable, it is at least theorically possible that with
a lot of resources an offline bruteforce could be attempted.

Add a v2 sealing format, keeping unsealing compatibility with
the current format:

 `v2:<iterations>:<salt>:<IV>:<ciphertext>:<aes tag>`

and use 600k iterations for the PBKDF2 sha512