cli: improve encryption-at-rest CLI ergonomics

[RaduBerinde]

This issue tracks providing an easier way to run cli debug tools against encrypted stores; currently we have to pass the --enterprise-encryption flag to each command.

CC @jbowens who had some ideas here.

Jira issue: CRDB-31276

[jbowens]

I think we should move to a world where the data directory self-describes the encryption-at-rest state. A user can continue to setup encryption-at-rest by passing --enterprise-encryption flags to the start command, but after they're provided once they may be omitted. The metadata around the current active store key is instead persisted within the data directory itself. Then all CLI commands may inspect this state automatically and do not require --enterprise-encryption.

[bdarnell]

Specifying the store path in both the --store and --enterprise-encryption flag is awkward (at least in some orchestration systems. I'm currently running into this in roachtest where the --store flag comes from deep inside roachprod but I'm trying to control the encryption flag in my test). I think we should make the path argument optional to apply the configuration to all stores, which is the common case (does anyone really want independent keys per store on the same node? Maybe in extreme recovery cases where you transplant a failed storage device from one host to another).

[bdarnell]

I think we should make the path argument optional to apply the configuration to all stores, which is the common case

I did this in #121111 but decided to use the special value path=* instead of making it implicit.