I think what you're getting at is key exchange... secure methods to exchange secret keys. There are well defined solutions but they may fall into your "wary of being security theatre".

In general, look at Internet Key Exchange

Key exchange works using a key management server. To your need, an authorized consumer of the encrypted data would need to establish a security association with the key management server to gain access to the secret key needed to decrypt the data.

You might want to look at Cyrpt::DH or Cyrpt::PK::DH. On CPAN, search for "diffie-hellman".