It would be useful if we had better examples of how to do this. Would be helpful if you could provide any. Any encryption done with a secret that is shared among many possible clients is always going to be less secure than a solution that is endpoint specific, but sometimes that is an acceptable risk. One potential option would be to manage this through site subscription and site files, in which you have access to the decryption key by syncing the site to the endpoint. Ideally even in this case it would be best if there was a hard coded password that was required in addition to the private key file in the site.
You can do a lot with custom use of OpenSSL, but it would also be interesting if there was an easy way to encrypt arbitrary data on the endpoint using the masthead public key such that it could only be decrypted with the root server private key. I’ve looked into this a few times but never really got anywhere.
Another option is encrypt data with the Client public key such that it can only be decrypted with the Client private key.