Transit RSA and Import only Public Key

Is there a way to do public key encryption using a separate/local Vault instance (so we don’t have to open up network connection to the prod vault)?
Specifically, is there a way I can import (or restore, etc) only the public key into a separate vault instance and only perform encrypt operations? (Without having to export the private key)

Related topics/discussions I’ve already researched:

Was able to get the above working, after a small detour due to LibreSSL being default on macos and not supporting rsa_oaep_md:sha256.

However, Vault handles a number of things better than the OpenSSL pkeyutil calls. (multiple blocks, not embedding vault impl details into separate scripts, etc). We’re trying to standardize on vault for app level encryption. Thus, I’d rather be able to use Vault as the encryption service.