If you want to encrypt the partition that BT runs of I would suggest that you check out Truecrypt. It is open source software and pretty much the best one out there for on the fly encryption/decryption. It also supports the encryption of a complete OS.
However as the encryption/decryption of the files will be running live, eating up both CPU speed and RAM, you will be seeing quite a substantial drop in performance. Therefore I would recommend you to stay away from full encryption and rather implement a password enabled boot option + additional encryption with Truecrypt of files containing sensitive information.
As far as the hidden boot option you could for example install lilo, or some other bootloader, on a USB-stick or CD and use it to boot into BT. Using this setup the BT OS would remain invisible to the regular user as the computer would boot straight into Windows without the USB/CD. IMHO this would provide you with the easiest yet most invisible boot option for BT.