We recommend SDK side encryption for all sensitive information.
All SDKs rely on a pluggable DataConverter interface to perform serialization and deserialization of workflow and activity arguments and results. Implement your own DataConverter that encrypts data using whatever library and certificate management solution you prefer. This way the service will never receive any of your data in clear text and no DB level encryption is needed.