Exposing USB Harddrive Folder To Dom0 Using A sys-usb Service?

With a single hotkey + password input, bind all dom0 folders to point to a Veracrypt vault on an external drive.

With another hotkey, remove the bind.

End result: 2 layers of computing. 1 that happens on the primary HD, the other that happens on the external HD.

Problem to solve:
I need a Veracrypt vault that only dom0 can access, and it needs to be large… in the 250gb size or larger. That means I can’t practically use the internal HD. Nor does the internal HD allow me to remove the vault I want to expose to Dom0.

Problem #1 to solve: Protecting dom0.
Insuring that only dom0 can ever mount this vault.
Solution: Encrypt the external HD drive. Using OpenSSL, make password.txt file. Use a bash script with a salted password + password.txt file held on dom0. This will insure only dom0 can ever access the vault.

Problem #2 to solve: How to expose that USB drive to dom0?
Is it possible to do this with a usb-service? If so, how is this done?
If this isn’t possible, I can imagine storage pools could be used? Would I need to update the dom0 storage pool to point to the hd drive?

Which approach is going to be the least messy? How’s the best way to do this?