Description of problem:

AWS clusters installed by the cluster have never had .  Since bug 1734193 was fixed, we can ask the machine-API provider to provision workers with encrypted root volumes even for Machine(Set)s that use unencrypted AMIs [1].  Questions are:

1. Do we want encrypted root volumes on compute machines?  We already encrypt root volumes for the bootstrap and control-plane machines (via copy-and-encrypted AMIs for those Terraform-provisioned machines).  When this is just a question of setting a property in the compute MachineSets, I don't see why we wouldn't want encrypted compute machines.
2. If we do want encrypted compute machines, do we want to backport that to previous releases?  I don't really care about this point.  Folks who are installing new clusters are unlikely to stick to 4.1 for long after 4.2 is out.  Folks who installed a 4.1 cluster and subsequently upgrade it will likely continue to upgrade through 4.2 (although you'd need some non-installer component if you wanted to get encrypted instances after an upgrade).  Folks who installed a 4.1 cluster and who never upgrade it aren't going to get new cluster behavior however we provide it.  I'm fine backporting the small fix to 4.1.z so new-cluster folks can benefit without having to wait for 4.2.0.  But I'm also fine leaving the old branches alone.

Thoughts?

[1]: https://github.com/openshift/installer/pull/2160