You can, but assuming that you actually need to look at the value, you will also need to have local decryption keying material. For example, if it were encrypted using AES, you would need to store the symmetric key in a place accessible to the iRule. If somebody has sufficient access to the BIG-IP to see the contents of the data-group, they are very likely to have sufficient permission to see the contents of the iRule, which would in turn contain the key. At that point, the encryption won't hide the contents. If the encrypted information were stored remotely, and an adversary gets access to the BIG-IP in such a way that he or she can connect to the remote system, you're in the same boat. If you store the key in a remote vault, you will presumably need to supply credentials to access that key. Again, if somebody has those credentials and the ability to make a connection from the BIG-IP, then the encryption will fail to keep the value secret.
I'm certainly not arguing against encryption for data-at-rest, but it is of course a trade-off, and it's important to consider under what conditions the data remain secret and when it will not be.
Having said all of that, the simplest way is to use the AES command set, as in:
when RULE_INIT {
set static::key "AES 256 0a4f..."
}
when HTTP_REQUEST {
if { [set header_value_to_insert_encr [class lookup your-dg "somekey"]] ne "" } {
HTTP::header insert X-Your-Header "[AES::decrypt $static::key $header_value_to_insert_encr]"
}
}