What you are describing is called "encryption at rest". "encryption in transit" is already take care of by FMS if you enable the SSL option on the server.
You will need scripts to decrypt end re-encrypt data as the user asks for it. The idea is that you only decrypt data on a per-record basis, so never to display that field in a list view or on a report. You have to be very careful keeping track of when data is in encrypted or decrypted form. You do NOT want to encrypt data that is already encrypted thinking that is not or you will never be able to get the original data back.
The biggest problem is where to store the encryption key. You do not want to store that inside your solution, that kind of defeats the whole purpose of the extra security. That is not an easy problem to solve and you probably need to ask IT what their guidelines are.
You will need a plugin for this. Troi has one, Sky Dancer Studios has one too.