Comment by gradschool

Here's a crazy idea. Create a large empty file on your VPS. Call it backingfile.lol. Then remotely mount the directory containing backingfile.lol using sshfs on your local machine, so that you can access backingfile.lol as if it were a local file. Then create a loopback device on the local machine using backingfile.lol as the backing file, and create a luks device on top of the loopback device. Format the luks device with the filesystem of your choice, mount the filesystem, and rsync your secret files with it. Tear down everything except backingfile.lol on the VPS when not in use, and your files will persist inside it.

If my understand about all this is correct, your adversary could have physical access, root access, and Intel's own ME signing keys, but will see only encrypted data at rest on the VPS, because your keys never leave the local machine, affording him no recourse short of cracking AES.