[keyring] immutable cryptographic materials

[mattsb42-aws]

If possible, I'd like to get the encryption/decryption materials as close to immutable as possible to make handling them simpler and to fit better into the descriptions evolving in the spec[1].

The two goals I have in mind with this are:

1. Make it as simple as possible to think about what is changing the materials, when, and where. The simplest possible answer is that "they never change".
2. Make it as hard as possible to change the materials without the appropriate metadata (keyring trace).

We might not be able to get them all the way because they need to continue to work with CMMs, but I'd like to make it possible to use them in an immutable way.

The simplest hurdles to this are:

1. copy.copy and copy.deepcopyshould work as expected.
2. Rather than methods like add_data_encryption_key mutating the existing materials, they should return new materials based on the initial materials that also include the values to be added.

We're at an inflection point with keyrings. I think that if we do not do this before we release keyrings that we will probably never be able to reasonably do it, but if we do it before keyrings than we can simply say "if you are using keyrings then materials are always immutable".

[1] awslabs/aws-encryption-sdk-specification#56