For security on the network there is secure communication (Encrypted Control Communication - ECC) that can be enabled for clients. It encrypts communication, but does not encrypt bulk data transfer from DA to MA due to performance reasons.
For encryption you have the option of encrypting data on the source side, which I think is what you were exploring. The data in this case is encrypted by the client before it is sent to MA. The drawback is that data is encrypted by the client, causing performance penalty. The second drawback is that this is not available for all agents (intregrations).
The second option is encryption on the drive, if drive hardware supports it. The data is sent to MA in plain, and is encrypted in HW by the drive itself, which should not have a big performance impact.
In both encryption cases the data or the tape contains only the id of the decryption key. The key itself is stored on cell server in keystore (back it up!). This id is used to get the proper decryption key during restore. So your data at rest, wherever it is, should be safe.