Hello @amakumar! This would depend on the requirement. Also I think you want to look at hashing options as well along with encription. There are multiple options here:
1. If your requirement is to secure the email id data at rest, AEP offers encryption at rest by default. Refer here - https://www.adobe.com/content/dam/cc/en/security/pdfs/AEP_SecurityOverview.pdf
2. If you want to restrict some users/user groups, then you should use Role Based Access Controls and if you want to restrict data sharing to platforms not dealing with PII, then you should use DULE lables and Data Governance features of AEP. (By default, the email ids are stored in clear and AEP/CDP typically stores like this (industry practice) since they deal with PII powered systems downstream).
3. If you want to obscure the email ids, then use only hashed ids for all usecases. You can pass pre-hashed email ids if you want (during data collection phase). Adobe has support for that in SHA-256 format. (Refer this documentation - https://experienceleague.adobe.com/docs/id-service/using/reference/hashing-support.html?lang=en#hash...) But this will only hash the incoming email id. I am not sure if it re-hashes when sending to a destination.
4. If you want to hash only when sending to a specific destination (like LinkedIn) and you are storing unhased email ids, then you can do the hashing when mapping segments. (again this will only hash, not come across a scenario for unhashing at destination). Example here - https://experienceleague.adobe.com/docs/experience-platform/destinations/catalog/social/linkedin.htm...
Hope this helps!