Use local stored key to manage recovery keys

[derektamsen]

luks2crypt should generate and use a local key to manage the escrowed recovery keys. This would allow luks2crypt to not keep a cleartext cached password locally on the host. It would also enable it to rotate passwords on a scheduled basis.

Ex:

• luks slot 1 would contain a locally generated cert stored in /etc/luks2crypt/adminkey
• luks slot 2 would contain a recovery key. This would then be escrowed an no local copy would be kept.
• luks slot 3+ would be used for user keys.

Luks2crypt would then be able to rotate slot 2 at a scheduled interval or with a cli flag.