it's really easy when you remember that you can either partition the disk with the rescue tools or use files as the disk volume backing (most VPSs already have a swap set up this way). keeping the secret in separate, client only non-internet-reachable locations and writing simple SSH scripts that connect as root and run the volume mount is simple.
Discussion
There is still a huge security issue. Any provider can dump the memory of the VPS node and extract the decryption key. But for that the VPS node must be online and the key must be in the memory.
To avoid this you should use VPS providers which use AMD EPYC because then it is possible. to encrypt the memory without any chance to extract data. Its called SME (Secure Memory Encryption). Not all providers have activated it. On our Netherlands location it is activated.
This sounds great. What is the best way to contact you?
We have Signal (mynymbox.10), SimpleX or sales@mynymbox.net
https://smp14.simplex.im/a#-hQO2deuaQsGEIQ3p2HF9SH_3Xn4Kck-S9Yh7lZIOe4