When Cloud Encryption is enabled, cloning within the vertical instance hierarchy (production, qa, test, dev, etc.) is fully supported. Encryption is enabled/maintained based on the source instance’s current configuration (i.e., if you clone an encrypted prod -source to an unencrypted sub prod -target, the new clone sub prod will be encrypted).
Key management technically happens within the instance, so at the time of cloning - one of the following happens
1. The key management tables are excluded from the clone, this ensures the source and destination instances are encrypted with different keys
2. The key management tables are included with the clone and the same key is used across instances (which is bizzare if that happens)
