The admin
common settings page has a section for Security.
If I search the code, it seems that the EncryptionKey is only used to encrypt the credit card info (which only applies if you do manual credit card transactions).
It would seem to me that if someone could hack into your database, they would see encrypted CC info, but if they know nopC, then they would also be able to get to the EncryptionKey (stored in DB's Settings table).
You will see that other plugins that store login credentials are storing them in plain text (e.g. UPS, FedEx, Avalara Tax, etc.). System email passwords are stored plain text. There's a work item to fix that
discussed here But if those were encrypted, then the above hack would also apply. Maybe storing the EncryptionKey in a configuration file on the app server would make it a little more secure, since it's on another server, but it's still vulnerable.
It's said that you should not hard code encryption keys, because then all the developers can easily get to it. But, in your case it may be OK. Someone could still reverse engineer your code to find it, but you can also encrypt your key, and obfuscate code to make it much harder to get to ;)
