Hi Tim,

Is it also possible to set a client password, instead of a datazone password?

No.  If you have security permissions per host set correctly that should not be an issue - at least if you have only file system backups.  With databases I'm aware that certain permissions are required for specific users and same user (eg oradba) may exist on multiple hosts thus breaking the concept... 

Where is the data being encrypted? Is it on the client, so that the encrypted data is sent over the network? Or is it being encrypted on the storage node, so that plain data is sent over de network, and being encrypted before it is put on a networker media?

I didn't play with aesasm, but I believe it works pretty much as all other similar asm features - it is executed on client machine.  Be careful with that as this will add on CPU activity to client host.

If you are really after encryption as requirement, you should really look into dedicated encryption module (network or storage wise).  What is obvious from trends and roadmaps, storage vendors are starting adding encyption modules to storage arrays and I assume this will be sort of normal thing within next 5 years (along with backup/snapshot integration), but I can understand there are many out there not in position to wait that long.