Encryption is only done on the client-side currently for exporting (messages, channels, etc.). It would be a performance hit to do encryption on the server for these things, but I think it's necessary from a security standpoint. Right now we're passing the secret symmetric key from the server to the client over the network. Even though that obviously happens from within HTTPS, most users still use the default self-signed cert.
The LDAP extension currently also encrypts the admin password on the client.