TL;DR: just get the encryption Certificate loaded on every AG instance before encrypting, and it will just work.
TDE encryption is performed as normal transactions against a database. When you perform TDE operations against the Primary Replica database in an AG, those operations are replicated to the Secondary Replica(s) just like all other transactions.
The key to make TDE work in an AG is to have the encryption keys loaded on all Secondary Replicas before performing the TDE ops on the Primary.
To do certificate-based TDE for a database in an AG:
- Create the TDE Certificate in the master database on one of the instances.
- Use BACKUP CERTIFICATE to back up the Certificate and its Private Key to files.
- Use CREATE CERTIFICATE [...] FROM FILE to restore the Certificate on all other SQL instances that will hold replicas of the encrypted database.
- Encrypt Primary Replica (create Database Encryption Key, enable encryption). As the Primary is being encrypted, the Secondaries will also be encrypted. You can watch the encryption process progress on each database by selecting from the view sys.dm_database_encryption_keys. You can run that on the Secondary Replicas to verify that they are also being encrypted.
To rotate the TDE Certificate ('rotate' = 'switch to a new key'), repeat steps #1-3 above to place the new Certificate everywhere it will be used, then tell the Primary to use the new Certificate (USE [your_database]; ALTER DATABASE ENCRYPTION KEY ENCRYPTION BY SERVER CERTIFICATE [new_cert_name])
Changes on the Primary will be automatically applied to the Secondaries.
Rotating/regenerating the Database Encryption Key (DEK) works in an AG the same way it does for non-AG: rotate on the Primary and the changes will be replicated to the Secondaries.