You are missunderstanding the transport encryption(everything related to authentication and pg_hba.conf) and the encrytion of the data at rest.

You want the encryption at rest. For that you have 3 Options:

1. Encryption in the application.

2. Use of pgcrypto as documented.

3. Encryption of the partition where postgres stores the data via LUKS or similar.

For 1. and 2. it means that indices for encrypted columns become useless and are only a waste of cpu time.

2. has the problem of transitting the key at the start of the connection, so it needs to be encrypted(tls encryption).

Its a bit of an fault with the documentation since it mixes the two types of encryption up.