Encrypt secrets in transit before storing in kv

Hi, I have a use case in which the user types in some secret in a web application which is then stored in Vault kv for later use. The data goes from the browser through Service A, then Service B, then it is stored in Vault and used frequently by Service C. A new requirement is for the Service A to never get hold of the unencrypted secret. A solution comes to mind to encrypt the secret in the browser using a public key, then decrypt it in Service B, then store in Vault.
A more ideal solution would be if the decryption part could happen in Vault itself. That way Service B wouldn’t have to process the unencrypted secret.

Is it something that can be easily achieved with Vault?