Split out advice about config reloads for encryption at rest

content/en/docs/tasks/administer-cluster/encrypt-data.md

@@ -34,7 +34,7 @@ This page shows how to enable and configure encryption of secret data at rest.
 The `kube-apiserver` process accepts an argument `--encryption-provider-config`
 that controls how API data is encrypted in etcd.
 The configuration is provided as an API named
-[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). `--encryption-provider-config-automatic-reload` boolean argument determines if the file set by `--encryption-provider-config` should be automatically reloaded if the disk contents change. This enables key rotation without API server restarts. An example configuration is provided below.
+[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/). An example configuration is provided below.
 
 {{< caution >}}
 **IMPORTANT:** For high-availability configurations (with two or more control plane nodes), the
@@ -462,6 +462,19 @@ Then run the following command to force decrypt all Secrets:
 kubectl get secrets --all-namespaces -o json | kubectl replace -f -
 ```
 
+## Configure automatic reloading
+
+You can configure automatic reloading of encryption provider configuration.
+That setting determines whether the
+{{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} should
+load the file you specify for `--encryption-provider-config` only once at
+startup, or automatically whenever you change that file. Enabling this option
+allows you to change the keys for encryption at rest without restarting the
+API server.
+
+To allow automatic reloading, configure the API server to run with:
+`--encryption-provider-config-automatic-reload=true`
+
 ## {{% heading "whatsnext" %}}
 
 * Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/).