In a 5G radio access network (RAN), network slicing enables dividing a single RAN infrastructure into multiple logical networks, efficiently accommodating services with diverse requirements. Although RAN slicing can help improve resource efficiency and reduce network costs, it is accompanied by various security risks. One of the security threats in RAN slicing is potential eavesdropping, resulting in the leakage of sensitive data within slices. Encryption technologies have been developed to address the eavesdropping problem at different layers in optical networks. We focus on physical layer encryption since it has been demonstrated beneficial in line-speed processing, low latency, and small encryption overhead. The problem of utilizing physical layer encryption technologies to achieve secure RAN slices remains unexplored since physical layer encryption introduces additional hardware costs. In this paper, we study how to realize secure RAN slicing based on physical layer encryption in a metro aggregation network that consists of hybrid-trusted links (i.e., links with different risks for eavesdropping). We propose an integer linear programming (ILP) model and an auxiliary graph-based heuristic for small-scale and large-scale networks, respectively. The objective is to maximize the number of deployed slices and minimize the total cost of secure slice deployment, which includes the costs of servers, line cards (LCs), encryption cards (ECs), and bandwidth resources. To evaluate the benefit of encryption, we compare it with a detour solution, which protects slices by routing through trusted links (i.e., where no additional hardware for encryption is deployed). Simulation results show that the encryption-based solution exhibits a lower cost than the benchmark when the same number of slices are deployed, and it can reduce the blocking ratio by up to 8.5% as slice requests increase. In addition, the average latency of slices is also reduced by up to 14.6%.