After doing the initial clone, and excluding /PGPWDE01 and /PGPWDE02, encrypt the external disk (you may need to change to firewire - as I recall, there's bugs with bootable USB disks).
Then you can incrementally update it by excluding those two files, and choosing 'protect root level items' on the target, and choosing an incremenetal backup.
Make sure you test it every time you do a clone.
I *strongly* recommend having one unencrypted backup/clone. PGP's not reliable enough to have all your eggs in that basket (and yes, that's a change from early comments I made).