Creating new eyaml entries when private key is not available

[Larry Fast]

Our plan for eyaml is that operations owns and protects the private key.  So developers only have access to the public key and after creating new encrypted values cannot decrypt them. Unless I'm missing something, developers won't be able to use 'eyaml edit' because it requires the private key. As far as I can tell, the workflow in developer space is...

> eyaml -s [string you want encrypted]

Then paste the ENC[] text into the .eyaml file and save it back to the git repo.

That's a reasonably tight workflow, I'm just wondering if I missed a better one.