attr_encrypted does different things with `key` depending on what mode you are using:
1. In `:per_attribute_iv_and_salt` mode, it generates a hash with the salt:
c3a62c4a9e/lib/encryptor.rb (L77).
There is no need to truncate the key to 32 bytes here.
2. In `:per_attribute_iv` mode, it sets the key directly to the password, so
truncation to 32 bytes is necessary.
Closes#47166
Fixes that make this work:
* A change in Ruby (ce635262f5)
requires passing in the exact required length for OpenSSL keys and IVs.
* Ensure the secrets.yml is generated before any prepended modules are
loaded. This is done by renaming the `secret_token.rb` initializer to
`01_secret_token.rb`, which is a bit ugly but involves the least impact on
other files.
Stan Hu