It is true that NDMP rules out host based (software) encryption. But BE supports hardware based encryption; HP LTO5 does offer encryption support and should be supported by BE. It also is expected to work with NDMP - in this case SCSI pass through is used to upload keys into tape drive.
So it is quite possible that everything that is needed to use encryption is already in place. Of course, it means that keys are managed by BE and only BE will be able to restore data. I do not know whether (hardware based) encryption is separately licensed feature of BE.