Hopefully someone else can prove me wrong, but I think the only way to make this work and have it be secure is if the teachers hold the encryption keys, and no one else every sees them. Whether it is Auth0 or some other system, someone is going to have superuser access somewhere and will be able to access the data.
Secure app design like this is not my forte so take this with a hefty grain of salt: Perhaps if you had a phone app, with the enc key stored securely on the phone. Teacher logs in & accesses the system, system pushes to their phone, teacher unlocks phone and approves transfer of the enc key, system can decrypt that teachers data. Key is destroyed on the app/API end when done.
Even better, phone app + api / app automatically rotates enc key and re-encrypts everything with the new key at the end of every session. Phone app maybe keeps the last 3 enc keys and your back end fully versions the data, retaining last 3 versions, so they can roll back in case something goes boom.
IMO, this is both super interesting and pretty complex!
(waiting for someone from Auth0 to come along and say ‘actually this is super easy and fully supported’!)