An entity can choose to encrypt the key/value pairs by using an AES encryption key at the time of chaincode invocation (https://github.com/hyperledger/fabric/tree/master/examples/chaincode/go/enccc_example). The encryption key is passed to the chaincode, which then encrypts the values before sending them in a proposal. The entities that need to decrypt the value (for example, to endorse a transaction) must be in possession of a key. It is expected that such encryption keys are then shared with other peers in an out-of-band manner.