Currently we don’t have support for disk encryption in balenaOS. So a frist step would be to add support for disk encryption. A next step would be to add support for hardware backed disk encryption. So the answer to your question is, that unfortunately we don’t have a solution ready for you.
But to extend a bit more on this:
To use a TPM for disk encryption is great, but it depends on the implementation and the thread model one wants to protect against.
You can seal secret keys in a TPM and have the TPM measure the software stack that is booted. Only if the measurements match the sealed state the TPM will give access to the secret keys and therefore the disk can be decrypted. This is also called trusted boot with a static root of trust. This would be a very good solution, but it means that for any change to the system one needs to remeasure the new state of the TPM and seal the keys again for the new measurement.
One can just keep the secret keys in the TPM and don’t worry about sealing or state of the system, but then an attacker could add software to the none encrypted part of the system that can be written in a way to let them extract the encrypted data from the system anyhow.
I hope this answers your question, if not please let us know.