This scenario is that I don't want to handle decryption.
I will ask the vault for a public key, give it to a external partner, which will encrypt the information with the given key and pass that cypher text back to me.
Then I will pass the crypto text to the vault, indicating which public key generated it and the vault will reply the decrypted content.