It depends on what data is contained in your SubscriberKey. The SubscriberKey is how SFMC keeps track of a Subscriber's status. In most cases it's the email address, but if you have any kind of integration (e.g. Marketing Cloud Connect), the SubscriberKeys are typically not email addresses.
To configure a sendable DE, you'll have to define the relationship of the DE data to All Subscribers so the status can be maintained. You don't need both email address and SubscriberKey if your SubscriberKey is email addresses. If they're different, I recommend having both.
Primary Key is to define uniqueness of a row, so no two rows can have the Email Address + SubscriberKey combination, then those two fields should be set as Primary Key.
If you want to use a Query Activity to update a Data Extension, you'll need to define the Primary Key fields.
First of all, I don't think you can use Query to update All Subscriber Lists, as query only works with Data Extensions (local or shared), system data extensions can not be selected (_Sent, _Open etc)
And You can't use insert , delete or update keyword in Marketing Cloud query, it is not standard TSQL, to implement "insert into" you have to use select query and include the PK column. Marketing cloud uses the dataset from select query to match and update target data extension rows, that is why PK column must be configured in targeted DE to allow "Append" or "Update" action.
"Data actions" on targeted Data Extension
Append - only add new data
Update - only update existing data
Overwrite - delete all records in target data extension and insert all records from your query.
so an update query should look like this
select Email_Address__c as 'EmailAddress',
Email_Address__c as 'SubscriberKey'
From [FilteredDE]
then select targeted data extension and "Update" type. Assume that your targeted data extension has SubscriberKey column set to PK, above query will find records that match SubscriberKeys and update EmailAddress column to values in [FilteredDE].[Email_Address__c]
Best Answer
Little late on the answer but I've been working on this recently and someone might find this information useful.
If you are looking to do an encryption on data once it is inside Marketing Cloud the 2 main ways to do this would be with SQL activity or script activity.
SSJS only support MD5 hashes so this is fairly limiting. AMPscript does have more support for SHA256 but as you noted in the question you cannot use SSJS + AMPscript in an Automation Studio activity.
With SQL activity you can use the HASHBYTES function, making sure you cast and convert the values in the right way. This could be run on a schedule.
To update the All Subscribers attributes typically an export, transfer and import activity to the All Subscribers list via csv is common practice.