Adding aesgcm info back in and mentioning migrating between types

Author: bergerhoffer

modules/enabling-etcd-encryption.adoc

@@ -20,6 +20,13 @@ After you enable etcd encryption, several changes can occur:
 * A disk I/O can affect the node that receives the backup state.
 ====
 
+You can encrypt the etcd database in either AES-GCM or AES-CBC encryption.
+
+[NOTE]
+====
+To migrate your etcd database from one encryption type to the other, you can modify the API server's `spec.encryption.type` field. Migration of the etcd data to the new encryption type occurs automatically.
+====
+
 .Prerequisites
 
 * Access to the cluster as a user with the `cluster-admin` role.
@@ -33,19 +40,19 @@ After you enable etcd encryption, several changes can occur:
 $ oc edit apiserver
 ----
 
-. Set the `encryption` field type to `aescbc`:
+. Set the `spec.encryption.type` field to `aesgcm` or `aescbc`:
 +
 [source,yaml]
 ----
 spec:
   encryption:
-    type: aescbc <1>
+    type: aesgcm <1>
 ----
-<1> The `aescbc` type means that AES-CBC with PKCS#7 padding and a 32 byte key is used to perform the encryption.
+<1> Set to `aesgcm` for AES-GCM encryption or `aescbc` for AES-CBC encryption.
 
 . Save the file to apply the changes.
 +
-The encryption process starts. It can take 20 minutes or longer for this process to complete, depending on the size of your cluster.
+The encryption process starts. It can take 20 minutes or longer for this process to complete, depending on the size of the etcd database.
 
 . Verify that etcd encryption was successful.