Create a vault for secret tokens and move some into it.

This is intended to reduce the number of critical secrets stored in the
INI file.  An initial subset of secrets is moved into the vault to test
things out.

r2/example.ini

@@ -7,6 +7,15 @@
 # any name will do - e.g., 'foo.update' will create
 # 'foo.ini')
 
+[secrets]
+# the tokens in this section are base64 encoded
+# general purpose secret
+SECRET = YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5
+# secret for /prefs/feeds
+FEEDSECRET = YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5
+# used for authenticating admin API calls w/o cookie
+ADMINSECRET = YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5
+
 
 #
 # r2 - Pylons development environment configuration
@@ -43,14 +52,6 @@ error_reporters =
 # the site's tagline, used in the title and description
 short_description = open source is awesome
 
-# -- SECRETS! <-- update these first! --
-# global secret
-SECRET = abcdefghijklmnopqrstuvwxyz0123456789
-# secret for /prefs/feeds
-FEEDSECRET = abcdefghijklmnopqrstuvwxyz0123456789
-# used for authenticating admin API calls w/o cookie
-ADMINSECRET = abcdefghijklmnopqrstuvwxyz0123456789
-
 CLOUDSEARCH_SEARCH_API =
 CLOUDSEARCH_DOC_API =
 CLOUDSEARCH_SUBREDDIT_SEARCH_API =