Decouple secret keys from each other

At the moment, the gitlab-rails secret_token is also used for encrypting OTP secrets in the DB. We can't fix this automatically without making people re-encrypt everything, or disable 2FA, but we can make this easier in future by making this explicit.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/3963. This should not be merged until after https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5274.