Hi Ted, take a look here as a start: https://mariadb.com/kb/en/library/data-at-rest-encryption/
But yes, while the server is up and running, any authorized sql user can request the data and it will be delivered by your server. You have to consider what threat/risk you are mitigating. It sounds like they are worried that someone will have access to your network, and have access to the database files, but won't have an SQL user credential or the ability to modify the moodle files to make it spit out the data anyways. That's a fairly narrow/specific threat, but I guess if that's what they require, that's what you can implement.
Implementation details will depend on your specific database server software. Here's Microsoft's docs for SQL Server: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/sql-server-encryption