There is support for kerberos, which does two things

  authenticates the request from the server to the client
  encrypts the backup stream

The first step is actually quite important.  Without it, someone else
can run a backup and get your bits sent to them, even if they are
protected from eavesdropping while being sent to the attacker.

Kerberos support is currently not in good shape.  You have to get the
krb bits separately (separate CVS module), and they aren't tagged
consistently with releases.  I have tried to compile them recently,
and had trouble.

As others have said, using Kerberos requires, in addition to getting
amanda+krb to build correctly, having a Kerberos server and the clue
to administer the realm.

Using IPsec seems like a good method, since it can provide
authentication as well.  [The following assumes famililiarity with
RFC2401 and discusses BSD systems.]  While others have mentioned VPN,
one can instead transport mode ESP.  The trick is getting Security
Policy Database (SPD) entries to match the amanda traffic.  Since
ports change for the backup stream, it might be best to set per-socket
policy in the amanda programs using setsockopt(IP_IPSEC_POLICY).  This
approach is likely workable on Solaris.  Last I checked, the FreeSWAN
IPsec implementation for Linux did not support an SPD as requires by
RFC2401, and in particular using ports as selectors did not work.

One can also just use tunnel-mode ESP for all traffic to the
particular remote host.

        Gregory Troxel <gdt AT ir.bbn DOT com>