As noted by https://github.com/MariaDB/mariadb-docker/issues/417, the disabling of the file-key-management plugin in mysql_install_db prevents upgrades or the initialization of containers with encryption.
This was caused by commit:
This is excessively brutal as the file-key-management-filename may actually be set using scripts and automation (like Ansible) that will deploy a configuration before starting a service.
As mysql_install_db creates InnoDB tables, a user specified innodb_encrypt_tables = ON will cause the installation to fail. With file-key-management plugin explicitly disabled, the only innodb system table space encryption is available with another encryption plugin, or using mysqld --bootstrap directly.