Issue #3593869: filter Master KEK selection to compatible keys; nudge rotation on change

Frank Mablyrequested to merge
issue/pdv-3593869:3593869-filter-master-kek into 1.x

Both the settings form and the tenant form now list only keys that can serve as a Master KEK (encryption keys that are 256-bit or have no declared size), via a shared MasterKeyOptions helper that reads key type metadata only and always keeps the currently-selected key. On an actual Master KEK change each form warns that the change is non-destructive but leaves existing subjects on the old key until a rotation re-wraps them, linking to the rotation.

Closes #3593869

Merge request reports