Are these secrets encrypted with the passphrase encryption (default for local backend) or the Pulumi service encryption (default for Pulumi service backend)?
If the former, it is possible you could recreate the same encryption used in the Pulumi CLI sources. If the latter, you may be able to use the Pulumi service REST API (not yet documented, but stable for use from old CLIs).