feat: encrypt gitsshkeys.private_key at rest via dbcrypt (#25872)

Adds an optional dbcrypt wrapper around gitsshkeys.private_key. The
column is encrypted on insert and update through enterprise/dbcrypt when
external token encryption is configured, and decrypted on read.

A new private_key_key_id column references
dbcrypt_keys(active_key_digest) so revocation safety is enforced by the
existing foreign key. Rows with a NULL key_id stay plaintext and remain
readable. Existing plaintext rows can be backfilled by running `coder
server dbcrypt rotate`.

Generated with assistance from Coder Agents.

coderd/database/dump.sql

@@ -2013,9 +2013,12 @@ CREATE TABLE gitsshkeys (
     created_at timestamp with time zone NOT NULL,
     updated_at timestamp with time zone NOT NULL,
     private_key text NOT NULL,
-    public_key text NOT NULL
+    public_key text NOT NULL,
+    private_key_key_id text
 );
 
+COMMENT ON COLUMN gitsshkeys.private_key_key_id IS 'The ID of the key used to encrypt the private key. If this is NULL, the private key is not encrypted.';
+
 CREATE TABLE group_ai_budgets (
     group_id uuid NOT NULL,
     spend_limit_micros bigint NOT NULL,
@@ -4701,6 +4704,9 @@ ALTER TABLE ONLY external_auth_links
 ALTER TABLE ONLY external_auth_links
     ADD CONSTRAINT git_auth_links_oauth_refresh_token_key_id_fkey FOREIGN KEY (oauth_refresh_token_key_id) REFERENCES dbcrypt_keys(active_key_digest);
 
+ALTER TABLE ONLY gitsshkeys
+    ADD CONSTRAINT gitsshkeys_private_key_key_id_fkey FOREIGN KEY (private_key_key_id) REFERENCES dbcrypt_keys(active_key_digest);
+
 ALTER TABLE ONLY gitsshkeys
     ADD CONSTRAINT gitsshkeys_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id);