The unique encryption keys referred to are the Session keys used after the join.
Best practice for overall security is unique AppKeys per device as you are trying to configure.
lora-query is the current way to configure unique appkeys per dev-eui.
Be sure that the app-eui configured with the dev-eui does NOT match the NetworkID assigned to the Conduit. Otherwise it will validate the join against the Network Key.
If you need more help with lora-query please provide more detail of what you have tried and what is not working for you.