Apply suggestions from code review

Co-authored-by: shichun-0415 <89768198+shichun-0415@users.noreply.github.com>

encryption-at-rest.md

@@ -197,7 +197,7 @@ data-encryption-method = "aes128-ctr"
 data-key-rotation-period = "168h" # 7 days
 ```
 
-Or add the following contents in tiup cluster template:
+Alternatively, add the following contents in the TiUP cluster template:
 
 ```
 server_configs:
@@ -208,7 +208,7 @@ server_configs:
 
 Possible values for `data-encryption-method` are "aes128-ctr", "aes192-ctr", "aes256-ctr", "sm4-ctr" (only in v6.4.0 and later versions) and "plaintext". The default value is "plaintext", which means encryption is not turned on. `data-key-rotation-period` defines how often TiFlash rotates the data key. Encryption can be turned on for a fresh TiFlash cluster, or an existing TiFlash cluster, though only data written after encryption is enabled is guaranteed to be encrypted. To disable encryption, remove `data-encryption-method` in the configuration file, or reset it to "plaintext", and restart TiFlash. To change encryption method, update `data-encryption-method` in the configuration file and restart TiFlash. To change the encryption algorithm, replace `data-encryption-method` with a supported encryption algorithm and then restart TiFlash. After the replacement, as new data is written in, the encryption file generated by the previous encryption algorithm is gradually rewritten to a file generated by the new encryption algorithm.
 
-The master key has to be specified if encryption is enabled (that is,`data-encryption-method` is not "plaintext"). To specify a AWS KMS CMK as master key, add the `encryption.master-key` section after the `encryption` section in the tiflash-learner.toml config file:
+The master key has to be specified if encryption is enabled (that is,`data-encryption-method` is not "plaintext"). To specify an AWS KMS CMK as the master key, add the `encryption.master-key` section after the `encryption` section in the `tiflash-learner.toml` configuration file:
 
 ```
 [security.encryption.master-key]
@@ -218,7 +218,7 @@ region = "us-west-2"
 endpoint = "https://kms.us-west-2.amazonaws.com"
 ```
 
-Or add the following contents in tiup cluster template:
+Alternatively, add the following contents in the TiUP cluster template:
 
 ```
 server_configs:
@@ -229,17 +229,17 @@ server_configs:
     security.encryption.master-key.endpoint: "https://kms.us-west-2.amazonaws.com"
 ```
 
-The meanings of the above configuration items are the same as those of TiKV.
+The meanings of the preceding configuration items are the same as those of TiKV.
 
-To specify a master key that's stored in a file, add the following configuration in tiflash-learner.toml configuration file:
+To specify a master key that is stored in a file, add the following configuration in the `tiflash-learner.toml` configuration file:
 
 ```
 [security.encryption.master-key]
 type = "file"
 path = "/path/to/key/file"
 ```
 
-Or add the following contents in tiup cluster template:
+Alternatively, add the following contents in the TiUP cluster template:
 
 ```
 server_configs:
@@ -248,13 +248,13 @@ server_configs:
     security.encryption.master-key.path: "/path/to/key/file"
 ```
 
-The meaning of the above configuration items and the content format of the key file are the same as those of TiKV.
+The meanings of the preceding configuration items and the content format of the key file are the same as those of TiKV.
 
 ### Rotate the master key
 
-To rotate master key of TiFlash, follow the same steps as tikv. Currently online master key rotation is also not supported, so you need to restart TiFlash. It is advised to do a rolling restart to a running TiFlash cluster serving online query.
+To rotate the master key of TiFlash, follow the steps to rotate the master key of TiKV. Currently, TiFlash does not support online master key rotation, either. Therefore, you need to restart TiFlash to make the rotation effective. It is recommended to do a rolling restart to a running TiFlash cluster serving online query.
 
-To rotate the KMS CMK, add the following contents in tiflash-learner.toml configuration file:
+To rotate the KMS CMK, add the following contents in the `tiflash-learner.toml` configuration file:
 
 ```
 [security.encryption.master-key]
@@ -268,7 +268,7 @@ key-id = "0987dcba-09fe-87dc-65ba-ab0987654321"
 region = "us-west-2"
 ```
 
-Or add the following contents in tiup cluster template:
+Alternatively, add the following contents in the TiUP cluster template:
 
 ```
 server_configs:
@@ -285,11 +285,11 @@ server_configs:
 
 To monitor encryption at rest, if you deploy TiFlash with Grafana, you can look at the **Encryption** panel in the **TiFlash-Proxy-Details** dashboard. The meaning of monitoring items is the same as that of TiKV.
 
-For debugging, since TiFlash reuses TiKV's logic for managing encrypted metadata, the `tikv-ctl` command can be used to dump encryption metadata such as encryption method and data key id used to encryption the file, as well as list of data keys. Since the operation can expose sensitive data, it is not recommended to use in production. Please refer to [TiKV Control](/tikv-control.md#dump-encryption-metadata) document.
+For debugging, since TiFlash reuses TiKV's logic for managing encrypted metadata, the `tikv-ctl` command can be used to dump encryption metadata such as encryption method and data key ID used to encryption the file, as well as list of data keys. This operation can expose sensitive data and is therefore not recommended in production. Refer to [TiKV Control](/tikv-control.md#dump-encryption-metadata) for more details.
 
 ### Compatibility between TiKV versions
 
-TiFlash also optimizes encrypted metadata operations in v4.0.9, and its compatibility requirements are the same as those of TiKV.
+TiFlash also optimizes encrypted metadata operations in v4.0.9, and its compatibility requirements are the same as those of TiKV. For details, see [Compatibility between TiKV versions](#compatibility-between-tikv-versions).
 
 ## BR S3 server-side encryption