One way is to use
Always Encrypted feature of the database engine. This way only client application is aware of the key to decrypt the data. Have a look at
Always Encrypted (Database Engine)[
^] and from a larger point of view:
Data security, SQL Server 2016, and your business | SQL Server Blog[
^].
As an0ther1 pointed out, it may not be practical to encrypt everything, just the data that really needs to be protected.
Another aspect which should be implemented is auditing, to be able to see who does (or has tried) what. In a secure environment it's important to try to protect the data as well as possible but also to gather information about potential misuses. Have a look at
SQL Server Audit (Database Engine)[
^]