You first configure a remote for your underlying backend, in your case of type sftp. Let's give this remote the name "plain". Then you create a second remote of type crypt that wraps the remote "plain", lets call this "encrypted".
Now just use your remote named "encrypted" like any other, e.g. rclone copy D:\docs encrypted:\docs.
You may find documentation at https://rclone.org/crypt/ useful.
Regarding renames:
By default, rclone doesn't keep track of renamed files, so if you rename a file locally then sync it to a remote, rclone will delete the old file on the remote and upload a new copy.
There is an option --track-renames that can be used with rclone sync command, but it will not work "out of the box" with with encrypted remotes - due to requirement that source and destination have a compatible hash. You can make it work by configuring --track-renames-strategy:
Using
--track-renames-strategy modtimeorleafcan enable--track-renamessupport for encrypted destinations.
See also: Can not use --track-renames when syncing to and from Crypt remotes?
For track-renames to work, also the backend needs to support server side copy/move. Sftp does support server side move, according to this. You could test it out yourself, you should see "evidence" in the output when you are using the -v command line option.