Comment by dig1

> Where are the encryption keys stored? Does the client have to type in a password every time?

It depends on the use case. Typing a password to unlock the database when the app is started is a popular approach (e.g., keepassx does this), but you can also hardcode/obfuscate it, fetch it remotely, etc.

> Userspace encryption of user data has been almost universally rejected

Any kind of encryption is better than none. However, an encrypted drive will add zero value if your data and OS can be accessed remotely.