Design is very similar to HDFS TDE feature. Using KMS encrypts the data before store and decrypt it after reading.
https://issues.apache.org/jira/secure/attachment/12957995/Ozone%20Encryption%20At-Rest%20-%20V2019.2.7.pdf