In the CentOS7 package there is a /etc/my.cnf.d/encryption.preset file. This file contains configurations 'loose-innodb-encrypt-log' and 'loose-innodb-encrypt-tables'.
Why are these configurations prefixed with 'loose-'?
Also it contains aria-encrypt-tables, the server does not start with this. It requires an option, after changing this to =1 it no longer gives an error on this.
According to the documentation it should be innodb-encrypt-tables = FORCE and innodb-encrypt-log: https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/#which-storage-engines-does-mariadb-encryption-support