It would not be hard to do an encrypted remote.
We already have to support moving between different versions of the noms format, which changes all the hashes. Encryption is the same. You can look at an encrypted remote as just a different version of the format, and use the same approach.
Star this bug, and when the migrate program is landed, you could basically just fork it to support encryption: