Any of the suggestions above would most likely work. Running an API sidecar or separate service would just be the cost of exposing the REST API.
I could definitely envision people deciding against using your key store when comparing to something like Vault based just on the fact that you limit extensibility with no API.
I could definitely envision people deciding against using your key store when comparing to something like Vault based just on the fact that you limit extensibility with no API.