Sometimes you can get basic encryption through a vendor, sometimes you can get advanced encryption (depending on your region).
Encryption doesn't necessarily mean security. There are different levels of encryption such as 40 bit RC4 (a.k.a. ADP), DES-XL and DES-128 (which are no longer considered secure), and AES-256. Most modern encryption algorithms operate on digital formats but some (DES-OFB?) operate on analog. Most of the federal standards (DES and AES) require an external key-loader per the federal requirement (if you've ever wondered why a key-loader is required). Most of the older, going out of support radios, have separate hardware encryption modules which define the functionality but some of the newer current gen stuff does it all in a divorced hardware board (MACE for APX radios).
The real question, what is secure? Even with 40-bit ADP encryption is an affordable start for many users. However, it can be cracked given enough time and CPU (trade secret...many ADP algorithms are based off an entity's phone number) and regardless, is a reason why keys should be regularly rolled (@TLF @LibertyHillGuy ahem...going on 3+ years now). That being said, that just keeps you from being able to follow the conversation...you can still track the traffic. For example, my local municipality has a secure tac talk group which they dynamically use for sensitive info and while I can't follow the audio, I can follow the conversation via the unit IDs with UniTrunker. Secure also does not mean you can't be DF'd. Also, for a good part just moving to some form of digital modulation can help as your average spectrum scanner likely won't be prepared for it for one reason or another.
My real point...encryption is part of a secure toolbox and should honestly be the last thing you apply to the secure toolbox. Shift your communications around. Define a channel plan and only identify those channels over the air by their tactical names. "Message trunk" or change the channel every message (preferably to a repeater located at a different location which still provides coverage). Try and define common waypoints to avoid giving geographical location info over the air. If you need to pass info where you can't simply say 1 click north of waypoint whiskey or go to channel OP 3, 3 Delta 1, Upper Potato Net, Lower Potato Net, etc then you rely on encryption. There is a great deal of security in obscurity. TLF is probably the only one on the forum who knows what my channel names correlate to and better yet, the digital channels utilize different ID's for each making it more difficult to track (one of the reasons I choose P25 radios over DMR...multiple IDs and multiple systems).