Add public key fingerprint to the encryption envelope in secrets.yml.

[aaronsteers]

As we adapt for scenarios where the KMS key is not known at runtime because we are using standard RSA encryption and not native AWS functions, I think it's important to be able to distinguish when 'decryption failure' is due to 'wrong key' versus some other issue such as encoding, escaping, truncation, etc.

I would propose we attach a public key fingerprint using MD5 or SHA, whichever allows easier matching to KMS.

This will significantly aid troubleshooting, since then without sending any confidential information, an administrator can see if there's a key match issue.

Priority-wise, this doesn't have to be top priority. If it's easy and we can knock it out, then great. But also, it's probably okay if we add later.