This is likely to be needed by executors as well since passing
decrypted secrets to the executors via zookeeper has the same
encrypted-at-rest concerns as they keystore itself. To avoid
confusion around executors needing a zuul.conf with a scheduler
section, start a new keystore section which we can later indicate
is used by schedulers and executors. It also makes it convenient
to add new options (like those dealing with rotation, or even
using an external keystore).
Also change some log levels from debug to info where it's useful
for the operator to know that the backup keystore was used (or
a key was generated).