Implementing node -> node encryption - can be done with no downtime and no cluster splitting:
1. Create all certs, .truststores and .keystores and deploy them onto nodes in the old DC
2. On all nodes in the old DC set: internode_encryption: dc
3. Perform a rolling restart of all nodes in the old DC
3. Prepare all the nodes on the new DC with their certs, .truststores and .keystores and set: internode_encryption: all
4. Bring up the new DC
Summary: The old DC will talk to the new DC encrypted.
And the new DC would talk everywhere encrypted.