A concern related to ddd - have data to decrypt before passing it to the domain, which layer should decrypt the data ?

The boundary of your application. Usually you will do it in a class that is injected either in your view model or in a repository. I prefer the approach of having the domain pure thus I would prepare the data via a class in the view model and pass it ready to domain to use in business logic.

What if I have to encrypt data before saving it into DB or file manager, Which part of the layer should handle this ?