Vault integration with Cache-Only Key Service

Hi. I am new to Vault and I have a question regarding its integration options.

In one specific use case, I am supposed to implement HYOK for Salesforce ( I would like to do that with Vault (if possible).

Does anyone know if this would work out of the box or what must be done to implement that use case? Does Vault offer an encryption service endpoint that can deliver a key as Salesforce expects it?

Many thanks!