Afaik, the connection will encrypt when it bonds. I have not found a separate procedure to encrypt without bonding unfortunately. Perhaps a cypress employee knows otherwise? Worst case, you can re-bond with the bonded device to re-enable encryption. I do agree that it should be automatic, but I haven't found settings to modify/set it up.
Smartphones connecting to an EZ-Serial peripheral device should automatically re-encrypt the link for you after establishing a connection. I have recently checked both Android (6.0) and iOS in this regard, and found them to work as expected. Here's an example log output:
[connect from LightBlue iOS]
[request pairing from EZ-Serial]
[confirm request on smartphone, iOS takes over as pairing initiator]
[pairing and bonding completed successfully, now disconnect on smartphone side]
[reconnect from same smartphone, note new bond handle 0x04]
[above three bond record/pairing/encryption events happen automatically with no additional interaction]
If EZ-Serial is acting as the central device (initiating the connection to a peripheral), then it does not automatically re-encrypt the link on its own after reconnecting to a previously bonded device. However, all you need to do in this case is issue the smp_pair command again ("/P"), and it will encrypt using previously exchanged information. You will not need to go through the whole bonding and passkey entry process again. Here's an example log from an EZ-Serial central-role session:
[configure MITM support and full keyboard+mouse I/O capabilities]
[connect to remote peripheral]
[initiate pairing with remote device, which has display only I/O]
[enter passkey, which is 0x0000131E on remote device ('004894')]
[pairing completes successfully, now disconnect]
[reconnect to same device, note non-zero bond handle 0x04 indicating previous bond]
[use pairing command to re-encrypt]
[encryption completes, no additional interaction required on either device]
Hopefully this helps explain the execution flow. E.pratt is correct that there is no BLE component stack API method (or EZ-Serial API command) which is explicitly meant to re-encrypt separately from any other pairing/bonding activity. The stack handles whether to use existing stored keys or to initiate a new exchange/verification process based on stored bonding data.
Thanks - that seems to do it. It hadn't worked for me before, but I'm thinking I wasn't paired and bonded properly.