Manual rsa encryption with transit pub key

Hi everyone,

I have an idea to encrypt some data at client that has no direct and indirect access to vault using rsa public key from transit engine of vault. Vault is needed to decrypt this data later using stored private key.

I created transit engine with rsa2048, took a public key from key versions. Next I’m trying to encrypt a string with command “openssl rsautl -encrypt -pubin -inkey rsa2048.pub | base64”.
Then I trying to decrypt result “vault:v1:open…ssl…result==” and having an error “1 error occurred: * failed to RSA decrypt the ciphertext: crypto/rsa: decryption error”.

Am I losing something or it’s impossible to encrypt string with public key and openssl not using vault API?

Thanks.