There is a tutorial on how to deploy LUKS2 encrypted disks or partitions using MAAS. It involves some fiddling with the curtin preseeds, but it is still relatively easy to implement. This solution doesn’t provide any secrets management right now. Although, I imagine this could be implemented with some more advanced templating and creative use of the MAAS API.
Other than that, if you don’t need an encrypted root, a lot is possible with custom cloud-init user data. That includes getting secrets from an API. I personally use an ansible playbook to setup encryption at boot and have a single ansible-pull command in my cloud-init userdata.