We use 3DES in CBC mode with 192 key size to encrypt the sensitive data.
When we create the organization it asks what user data we want to encrypt like username, PAM, email address etc.
Passwords are encrypted.
But you can still encrypt your whole database. Make sure that it returns a decrypted value when the webfort/riskfort tries to fetch something.