You can’t have an encrypted read replica of an unencrypted DB instance or an unencrypted read replica of an encrypted DB instance. Encrypted read replicas must be encrypted with the same CMK as the source DB instance when both are in the same AWS Region.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
