Enable TDE for existing AlwaysOn databases

Question

I need to do a little benchmarking of AlwaysOn, both with and without TDE enabled. All the instructions I see cover adding encrypted databases to an availability group, but I see no mention of enabling encryption for a database already in an AG.

Can I just restore the server certificate to all nodes, then enable TDE from the primary? I'm hoping I don't need to remove the database from the AG, encrypt it, then reinitialize all nodes, as the database is around 100 GB. We can do that if needed, but it'll certainly slow down our testing a bit.

Update

I just tried this on some lab VMs. I was able to create a certificate at the primary, restore it on all the secondary nodes, then create a database encryption key at the primary using this certificate. All I had to do after that was ALTER DATABASE AdventureWorks SET ENCRYPTION ON at the primary server, and after a minute or two, sys.dm_database_encryption_keys showed encryption_state = 3 at all nodes.

So, followup question: Is there any reason to think that I shouldn't use this procedure? SQL Server appears to be happy with the results, but I haven't seen this approach discussed anywhere. When dealing with encryption and high-availability matters, I don't want to leave things to chance.