Andreas has a test where if he restarts with an invalid/different system key it fails to decrypt and the callback decrypt returns EINVAL. However, WT also makes an encrypt call before that error is returned and something is written, encrypted to disk, with the wrong key.

I have asked Andreas to get a stack trace from the encrypt call to see where it is coming from and why it can happen before the EINVAL error gets back out.