I am copy-pasting the code that was used earlier but you can make changes as per your requirements. it is available to code but I am iterating it here. We can use the encrypt and decrypt functions to take care of.
Last, but not least, you can create a stored procedure in some DB (SQL Server for example) that will encrypt the data and then map it into some variable in recipient data scheme or just expose it as a SQL function.
Also, for an unsubscribe function, the nms:recipient schema has @cryptedId attribute, that is recipient id encrypted with AES with server secret. If unsubscribe mechanic feeds back to Adobe server, you can use it as a token for unsubscribe function. It is secure and does not require you of exposing any of PII data.
I thought I resolved this issue but is not working well. Looks to be working on the preview but when trying on delivery is not working. The system throws errors when trying to send the email. it complains with following error.
JST -#ID# the result of the formula for the '<%LoadLibrary('URL in the '#ID#' delivery action is not valid . JST-#ID# failed to replace tracked URLs (content htmlContent)
we have used this in web applications. the user is redirected to adobe campaign web application where we keep the above script to handle encryption and decryption.
when sending out the link with id, we send encrypted ID in the link as you mentioned and when the user clicks on the link he is directed to the web application hosted inside adobe campaign where the script takes care of decryption and we can use xtk: session write method to update the schema about subscription or unsubscription.