To answer your first question about the keychain and whether you should encrypt backups: the passwords in your keychain are already encrypted, that's why you always have to type a password (by default your login password) to show stored passwords. So there's no immediate need to encrypt.
Of course, you could add Time Machine encryption to provide a further layer of security. This is possible starting with OS X Lion and Mountain Lion (from http://support.apple.com/kb/ht1427):
OS X Lion and Mountain Lion let you encrypt the Time Machine backup
external drive using FileVault 2.
FileVault2 also uses your login password, though. So if the bad guys are able to guess or crack that password, they will have also access to your keychain information. Choosing different passwords for login and for accessing your keychain would protect the keychain passwords in such an event.
Either way, use strong passwords, password quality is of foremost importance to protect your data.
EDIT:
The OP asked in a comment how to set different passwords for login and keychain. Here is how:
If you prefer to use your current password as keychain password and change your login password, log in using another account and change your account's password from System Preferences>Users & Groups. That will only change your login password, not your keychain password.
I was having this same problem. According to discussion at this thread on Ars Technica, it’s caused by a bug in iStat Server. Are you running this?
I was, and can confirm that the work-around solution posted there of removing iStat Server and deleting the iStat Server entry in /Library/Preferences/com.apple.security.plist
has worked for me. The relevant entry looks like this:
<key>DefaultKeychain</key>
<array>
<dict>
<key>DbName</key>
<string>/Library/Application Support/iStat Server/iStatServer.keychain</string>
<key>GUID</key>
<string>{87191ca3-0fc9-11d4-849a-000502b52122}</string>
<key>SubserviceType</key>
<integer>6</integer>
</dict>
</array>
Bjango, the developer of iStat Server, has further posted on the Ars Technica thread that a new version of iStat Server is now available. I have not independently verified that this addresses the problem, since the above work-around had already taken care of my issue, but their release notes say simply “Fixed a Keychain issue.” Both the new version and the release notes can easily be found at the iStat Server link above.
Best Answer
Keychain files are password protected, your login password is required to access their content. In the file itself only passwords and the content of secure notes are encrypted so a potential attacker could at least read the URLs and the associated login names for web accounts etc.
For details about Keychain see Wikipeda and the pages referenced from there.