I didn't suggest that the key be hidden inside the VM. I suggested that it be entered by the users, every time the encrypted program was run; hence the "it would be a huge pain in the ass to users" part. :)