Once the desired key management is in place, we can start to create the database instance. The beauty is that all it takes is a single line and PgES will do all the magic for you:

                % initdb -D /some_path/db16tde -K /somewhere/provide_key.sh

                The files belonging to this database system will be owned by user "hs".
                This user must also own the server process.

                The database cluster will be initialized with locale "C".
                The default database encoding has accordingly been set to "SQL_ASCII".
                The default text search configuration will be set to "english".

                Data page checksums are disabled.
                Data encryption is enabled.

                creating directory /some_path/db12tde ... ok
                creating subdirectories ... ok
                selecting dynamic shared memory implementation ... posix
                selecting default max_connections ... 100
                selecting default shared_buffers ... 128MB
                selecting default time zone ... Europe/Berlin
                creating configuration files ... ok
                running bootstrap script ... ok
                performing post-bootstrap initialization ... ok
                syncing data to disk ... ok
            

PgES provides the -K option to pass the key management executable to initdb. The key management executable is called during the initialization and PgES does all the magic to enable TDE on your new instance.