Use OsRng or better for generating long-lived keys

Follow-up from #1774 (closed): we should use OsRng when we are generating long-lived keys.

If we are suspicious (and we are!), we may want to do the same thing C tor does, and never use OsRng directly, but instead combine it with our regular Rng, to minimize the impact of certain catastrophic failures.

(C tor's implementation is in crypto_strongest_rand_, and it uses SHA512 to combine the crypto library's Rng output together with the os rng. We could do a more efficient one using shake128.)