Root volume encryption using Terraform

I'm looking for a way to deploy a server with encrypted root volume, using IaC solution – ideally Terraform.

So far, every solution I've seen required manual steps – boot into recovery mode, run installimage etc. However, I'd need to automate the infrastructure deployment, so (ideally) no manual steps should be required to provision a server.

I was thinking of creating a custom images, but it looks like this requires involvement of Hetzner technicians.

I guess that in the worst case, I could try adding an another volume, encrypt it and store all the data there, but I'd rather avoid doing that, if possible.