Some enterprise DBs can encrypt the data in the columns, but it's my understanding the DBAs can see through this, it's more encryption at rest kind of thing.

You'd be forced to encrypt/decrypt on your own. You'll need to override the various methods in your service layer. I'd probably use a model listener for encrypting on the fly, but your decryption will have to be peppered into the getters.

I'd take a page from how Liferay stores the password hashes - use a cleartext prefix which indicates the encryption method (its a cleartext string plus a colon followed by the base64 of the data). This will allow you to alter your encryption method(s) without re-encrypting all existing data, the decrypt code just needs to know how to handle all of the decryption methods. Also allows you test w/o encryption turned on so you can verify business logic w/o the encryption getting in the way.