Unfortunately, I don't think this is currently possible. I have verified few Documents and articles related to EncryptBlob, It is mentioned that "Once instances of the class exist, you are unable to change EncryptBlob value. An encrypted Blob shows the entire blob decrypted on the clipboard."
We can't encrypt the BLOB data once the instances exists. But if we want to encrypt the property value inside the BLOB even after the instance exists, we can open the instances and save them or run through the flow.
I have worked with Ross on SR-B8661, the resolution we tried for the reported behaviour as changing the Database table mapping of the class to an empty table temporarily, which allowed the 'Encrypt BLOB' option as editable and remapping the class to its original table. On checking the 'Encrypt BLOB' option it is working as confirmed by Ross that BLOB is getting encrypted for new instances which get created and for old instances one have to resave them.
The solution was tested on QA and we have created Product rule including updated class rule with 'Encrypt BLOB' as checked since Ross has plans to move the updated class to Dev env.
Once the instance is encrypted ( as described above by you) and we see in production that we are getting some issues with the encryption and we want to rollback . can we follow through the same process of temporary mapping to a different table and uncheck the Encrypt[-Blob and open re-save the work item (already encrypted) will that help in getting the decrypted value for that encrypted pzpvSteam ?
I am asking this question because, We are planning to do BLOB encryption and thinking of Rollback plan in-case any goes wrong .