If it's interesting to the community, I have published a small, self-contained python library and command line tool that can directly encrypt and decrypt secrets in a way that is compatible with the passphrase provider.
This package was originally developed as part of a solution to work around a limitation of the current pulumi release--there is currently no easy way to get/set nonsecret config properties or stack deployment outputs without knowing the correct passphrase, even if the passphrase is irrelevant for that task. By directly implementing a private version of pulumi config
and pulumi stack output
it is possible to defer use of the passphrase until it is needed, and allow working with encrypted inputs/outputs as well as nonsecret inputs and outputs, without knowledge of the passphrase. It is also helpful for automating construction of stack config files before a stack exists.
PyPi details here: https://pypi.org/project/pulumi-crypto/.
GitHub repo here: https://github.com/sammck/pulumi-crypto.