Add "security reset mode" to disable database if a server is stolen

[schuyler]

If a Buendia server should be physically stolen, we want to ensure that, at a minimum, the attackers will have a difficult time accessing patient data.

We should implement a "security reset mode" that, when triggered, makes the database unreadable until recovery conditions are met.

• We switch to a recent version of MariaDB (>= 10.1.4) that supports encryption at rest.
• When we initialize the database, we generate a random encryption key, which is saved in a file on the server, and use it to encrypt the database.
• The encryption key is also used to encrypt the backups of the database. The key itself is also backed up to the USB stick by the regular backup script.
• When the server thinks it has been stolen (we can elaborate how, later), it deletes the encryption key on disk and on any USB stick, if present.

This way, if the server is physically stolen (with or without a USB stick present), which presumably implies a reboot because you're be disconnecting it from power to steal it, all data at rest is encrypted and the key is gone, so the thief cannot access any patient data.

But, if the "I've been stolen" detector activates by mistake, it's not a disaster — your other USB key, back at the office, still has the encryption key, so you haven't lost any data. If a stolen server is recovered, you could reunite it with one of your backup sticks and it will come back to life.

Attn: @zestyping