[1/2] base: support separate encryption/lockscreen passwords

This adds the necessary infrastructure for allowing users to opt-in to a
distinct device encryption passphrase. The passwords are still tied
together by default. This makes it possible to use a complex encryption
passphrase without losing the convenience of a very simple lockscreen
pin.

This feature can be combined with a forced reboot after a chosen number
of failed unlocking attempts to prevent brute-forcing by requiring the
entry of the encryption password instead.

Change-Id: Iaf89af9bfa7e07f325eec7a60fdcc4de5977055a