How do I create an encrypted APFS volume from the command-line?

It seems that the volume was created correctly, but hdiutil attach just provides misleading output when you try to mount a disk with an encrypted volume on it. If you use -nomount and then proceed with diskutil commands instead, everything seems to work.

Here's the flow (there may be shortcuts but this is running from a script, so sometimes it detaches and reattaches because that's how the script is organised):

>>> hdiutil create -megabytes 1 -layout GPTSPUD -fs apfs -volname encrypted encrypted.dmg
    created: .../encrypted.dmg

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> diskutil mount disk3s1
    Volume encrypted on disk3s1 mounted

>>> diskutil apfs deleteVolume disk3s1
    Started APFS operation
    Deleting APFS Volume from its APFS Container
    Unmounting disk3s1
    Deleting Volume
    Finished APFS operation

>>> diskutil apfs addVolume disk3 APFS encrypted -nomount -stdinpassphrase
    Exporting new encrypted APFS Volume "encrypted" from APFS Container Reference disk3
    Started APFS operation on disk3
    Preparing to add APFS Volume to APFS Container disk3
    Creating APFS Volume
    Created new APFS Volume disk3s1
    Disk from APFS operation: disk3s1
    Finished APFS operation on disk3

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> diskutil apfs unlockVolume disk3s1 -stdinpassphrase
    Unlocking any cryptographic user on APFS Volume disk3s1
    Unlocked and mounted APFS Volume

>>> diskutil mount disk3s1
    Volume encrypted on disk3s1 mounted

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> dd if=/dev/disk3 of=encrypted.img

    1968+0 records in
    1968+0 records out
    1007616 bytes transferred in 0.049776 secs (20242977 bytes/sec)

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.