I’m reminded of this post, which may be relevant to you:
As for Veracrypt, my understanding is that it should not be necessary, since Qubes already uses LUKS full-disk encryption (except /boot). In other words, you would be cloning a disk that’s already encrypted.