While I agree with Brian, I challenge the requirement.

This is a lazy requirement in my book. In my experience it comes from fear and from someone reading a whitepaper or something saying you should do this without any true understanding of WHY they should and WHAT the ramifications are.

In most databases there is usually very little data that is trully restricted or confidential. That which is should be identified, and the individual fields that are restricted should potentially be encrypted. Also there is a cost in terms of performance (in particular) for whole database encryption.

Also, you are mixing two very different requirements, the first is database encryption and the other is backup encryption. Which is it?

Also what is your strategy for tapes? Do they go offsite? Do you have a service for it? Are they bonded?

As you can see there is a lot more than encrypt vs. don't..

CEWII