Implement bridge descriptor secret manager in metrics-db

In legacy/trac#2435 (moved) we discussed replacing bridge IP addresses in bridge descriptors with

H(IP address + bridge identity + secret)[:3]

This is already implemented for a static secret.

We also discussed changing the secret regularly, say, once a month. This requires us to extend metrics-db to:

• generate a new secret when we receive the first descriptor of a new month,
• store secrets to disk and read them on startup,
• solve the problem that a descriptor can be referenced from statuses of two months, and
• delete secrets when we're sure we don't need them anymore.