...
After the FINISH phase is complete, a new encryption key for writing is set on all nodes, i.e. the key change process is formally completed.
Background re-encryption of existing data will be completed sometime in the future, the new "pagesLeftForReencryption" cache group metric can be used to track re-encryption progress ('0' means the process has ended).
The process applies for all existing partitions including index.
...
If CACHE_GROUP_KEY_CHANGE_PREPARE has not been successfully completed on all nodes, the process is interrupted and must be restarted.
When the process restarts, a new key identifier is generated (an unused key will be overwritten).
...
The node join is rejected during the encryption key rotation, but this limitation may be revised in the future.
When a node joins the cluster (before/after key rotation), it receives the current encryption keys for the cache groups used for writing (it "rotates" encryption key automatically).
If the encryption key is a new key, then the node sets it for writing and starts the background re-encryption process (it starts re-encryption automatically).
Therefore, a node may leave the cluster during a key change, or a node may be absent and rejoin later (it does not matter if the baseline changes or not).
If the node stops/fails during re-encryption, after restarting it must continue re-encryption from the stored offset:
...