There is a growing need to have a consistent way of managing security related credentials inside the db in a more robust way. There is probably at least a dozen tables that manage their own passwords which have reinvented things themselves, and with broad spectrum of how they handle things.
I'd call this something like a 'vault api' and it would cover a few related tasks:
1) generating / rolling / revoking passwords
2) creating private / public key cert pairs
3) managing all encrypted db fields consistently using private keys which are only on disk
4) rolling keys and gracefully migrating data
- validate_user_key / create_user_key / etc internally encrypt all keys