I think adding such a change to the central component (BuilderHub) might lead to a secrets/configuration leakage if not safe-guarded enough (e.g. that flag allows only our VPN or something like that). Because otherwise, someone could deployment any image and send its measurement to fetch the deployment secrets/configs.
If this is only regarding devnet env purposes and not later repurposed for production env, then it won’t matter if the disk encryption key coming from a vTPM or BuilderHub.
But if we want to test the functionality of the vTPM itself as a viable option for the deployment, then I agree that it should be there.
Also, we could add to it later Loose Seal as an option for bare-metal deployments.
Ideally, we would have soon a secure KMS solution (e.g. this PR) that we could utilize for such use-cases