If anyone’s interested in learning a bit about Java development, you can refine this proof of concept I just whipped up:
It adds a new section to the config page of the gateway that lets you define named secret values, and then (within the gateway scope) you can run system.secrets.getSecret(<name>) to retrieve the un-encoded value.