GnuPG is used for encryption:
$ gpg --gen-key
...
$ gpg -K
...
sec 4096R/6EB7E943
...
$ gpg --export-secret-key -a > secret.key # BACK THIS UP!
...
$ mkdir -p /etc/fussy/keys
$ chmod 0700 /etc/fussy/keys
$ gpg --export -a 6EB7E943 | GNUPGHOME=/etc/fussy/keys gpg --import
$ GNUPGHOME=/etc/fussy/keys gpg --edit-key 6EB7E943 trust quit
# Mark as ultimately trusted...
$ GNUPGHOME=/etc/fussy/keys gpg --gen-key
$ GNUPGHOME=/etc/fussy/keys gpg -K
...
sec 4096R/C064B21C
$ GNUPGHOME=/etc/fussy/keys gpg --export -a C064B21C | gpg --import
* Anyone with access to the machine can trivially extract the key *or* the
unpacked content of your packages, do *not* rely on the encryption to
prevent access to the package contents.