diff --git a/composer.json b/composer.json
index 7d88e48f..47d57259 100644
--- a/composer.json
+++ b/composer.json
@@ -60,6 +60,7 @@
         "sonsofphp/pager-implementation": "0.3.x-dev",
         "sonsofphp/registry-implementation": "0.3.x-dev",
         "sonsofphp/state-machine-implementation": "0.3.x-dev",
+        "sonsofphp/vault-implementation": "0.3.x-dev",
         "sonsofphp/version-implementation": "0.3.x-dev"
     },
     "require": {
@@ -136,6 +137,7 @@
         "sonsofphp/registry-contract": "self.version",
         "sonsofphp/state-machine": "self.version",
         "sonsofphp/state-machine-contract": "self.version",
+        "sonsofphp/vault": "self.version",
         "sonsofphp/version": "self.version",
         "sonsofphp/version-contract": "self.version"
     },
@@ -172,7 +174,8 @@
             "src/SonsOfPHP/Bridge/Doctrine/DBAL/Pager/Tests",
             "src/SonsOfPHP/Bridge/Doctrine/ORM/Pager/Tests",
             "src/SonsOfPHP/Component/Version/Tests",
-            "src/SonsOfPHP/Component/Registry/Tests"
+            "src/SonsOfPHP/Component/Registry/Tests",
+            "src/SonsOfPHP/Component/Vault/Tests"
         ],
         "psr-4": {
             "SonsOfPHP\\Bard\\": "src/SonsOfPHP/Bard/src",
@@ -206,6 +209,7 @@
             "SonsOfPHP\\Component\\Pager\\": "src/SonsOfPHP/Component/Pager",
             "SonsOfPHP\\Component\\Registry\\": "src/SonsOfPHP/Component/Registry",
             "SonsOfPHP\\Component\\StateMachine\\": "src/SonsOfPHP/Component/StateMachine",
+            "SonsOfPHP\\Component\\Vault\\": "src/SonsOfPHP/Component/Vault",
             "SonsOfPHP\\Component\\Version\\": "src/SonsOfPHP/Component/Version",
             "SonsOfPHP\\Contract\\Common\\": "src/SonsOfPHP/Contract/Common",
             "SonsOfPHP\\Contract\\Cookie\\": "src/SonsOfPHP/Contract/Cookie",
diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
index 25470239..45b8232c 100644
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -74,6 +74,7 @@
   * [Adapters](components/pager/adapters.md)
 * [Registry](components/registry.md)
 * [State Machine](components/state-machine.md)
+* [Vault](components/vault.md)
 * [Version](components/version.md)
 
 ## 💁 Contributing
diff --git a/docs/components/vault.md b/docs/components/vault.md
new file mode 100644
index 00000000..64966883
--- /dev/null
+++ b/docs/components/vault.md
@@ -0,0 +1,62 @@
+# Vault
+
+The Vault component securely stores secrets using pluggable storage backends and encryption with key rotation, versioning, and additional authenticated data (AAD).
+
+## Setup
+
+```php
+use SonsOfPHP\Component\Vault\Cipher\OpenSSLCipher;
+use SonsOfPHP\Component\Vault\KeyRing\InMemoryKeyRing;
+use SonsOfPHP\Component\Vault\Marshaller\JsonMarshaller;
+use SonsOfPHP\Component\Vault\Storage\InMemoryStorage;
+use SonsOfPHP\Component\Vault\Vault;
+
+$storage    = new InMemoryStorage();
+$cipher     = new OpenSSLCipher();
+$keyRing    = new InMemoryKeyRing(['v1' => '32_byte_master_key_example!!'], 'v1');
+$marshaller = new JsonMarshaller();
+$vault      = new Vault($storage, $cipher, $keyRing, $marshaller);
+```
+
+## Storing and Retrieving Secrets
+
+```php
+$vault->set('db_password', 'secret');
+$secret = $vault->get('db_password');
+```
+
+## Using Additional Authenticated Data
+
+```php
+$vault->set('token', 'secret', ['app']);
+$secret = $vault->get('token', ['app']);
+```
+
+## Versioned Secrets
+
+```php
+$vault->set('db_password', 'old-secret');
+$vault->set('db_password', 'new-secret');
+
+// Retrieve specific version
+$old = $vault->get('db_password', [], 1);
+```
+
+## Rotating Keys
+
+```php
+$vault->rotateKey('v2', 'another_32_byte_master_key!!');
+```
+
+Secrets encrypted with previous keys remain accessible because the key ring keeps old keys.
+
+## Storing Non-String Data
+
+```php
+$vault->set('config', ['user' => 'root']);
+$config = $vault->get('config');
+```
+
+## Custom Marshallers
+
+Vault uses a marshaller to convert secrets to strings before encryption. The default `JsonMarshaller` handles arrays and scalars, but you can provide your own implementation of `MarshallerInterface` for advanced use cases.
diff --git a/src/SonsOfPHP/Component/Vault/AGENTS.md b/src/SonsOfPHP/Component/Vault/AGENTS.md
new file mode 100644
index 00000000..41683607
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/AGENTS.md
@@ -0,0 +1,24 @@
+# Agents Guide for Package: src/SonsOfPHP/Component/Vault
+
+## Scope
+
+- Source: `src/SonsOfPHP/Component/Vault`
+- Tests: `src/SonsOfPHP/Component/Vault/Tests`
+- Do not edit: any `vendor/` directories
+
+## Workflows
+
+- Install once at repo root: `make install`
+- Test this package only: `PHPUNIT_OPTIONS='src/SonsOfPHP/Component/Vault/Tests' make test`
+- Style and static analysis: `make php-cs-fixer` and `make psalm`
+- Upgrade code (may modify files): `make upgrade-code`
+
+## Testing Guidelines
+
+- Use PHPUnit attributes such as `#[CoversClass]` for coverage.
+- Each test method should verify a single behavior.
+
+## Component Notes
+
+- Secrets are marshalled using implementations of `MarshallerInterface`.
+- Prefer domain-specific exceptions under `Exception/` when reporting errors.
diff --git a/src/SonsOfPHP/Component/Vault/Cipher/CipherInterface.php b/src/SonsOfPHP/Component/Vault/Cipher/CipherInterface.php
new file mode 100644
index 00000000..291bedfa
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Cipher/CipherInterface.php
@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Cipher;
+
+use SensitiveParameter;
+
+/**
+ * Defines methods for encrypting and decrypting secrets.
+ */
+interface CipherInterface
+{
+    /**
+     * Encrypts plaintext using the provided key and optional authenticated data.
+     *
+     * @param array<array-key, mixed> $aad Additional authenticated data.
+     */
+    public function encrypt(#[SensitiveParameter] string $plaintext, #[SensitiveParameter] string $key, array $aad = []): string;
+
+    /**
+     * Decrypts ciphertext using the provided key and optional authenticated data.
+     *
+     * @param array<array-key, mixed> $aad Additional authenticated data.
+     */
+    public function decrypt(#[SensitiveParameter] string $ciphertext, #[SensitiveParameter] string $key, array $aad = []): string;
+}
diff --git a/src/SonsOfPHP/Component/Vault/Cipher/OpenSSLCipher.php b/src/SonsOfPHP/Component/Vault/Cipher/OpenSSLCipher.php
new file mode 100644
index 00000000..46b06629
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Cipher/OpenSSLCipher.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Cipher;
+
+use SensitiveParameter;
+use SonsOfPHP\Component\Vault\Exception\DecryptionFailedException;
+use SonsOfPHP\Component\Vault\Exception\EncryptionFailedException;
+use SonsOfPHP\Component\Vault\Exception\InvalidCiphertextException;
+
+/**
+ * Encrypts and decrypts secrets using OpenSSL.
+ */
+class OpenSSLCipher implements CipherInterface
+{
+    /**
+     * @param string $cipherMethod OpenSSL cipher method supporting AEAD.
+     */
+    public function __construct(private readonly string $cipherMethod = 'aes-256-gcm') {}
+
+    /**
+     * @param array<array-key, mixed> $aad Additional authenticated data.
+     *
+     * @throws EncryptionFailedException
+     */
+    public function encrypt(#[SensitiveParameter] string $plaintext, #[SensitiveParameter] string $key, array $aad = []): string
+    {
+        $ivLength   = openssl_cipher_iv_length($this->cipherMethod);
+        $iv         = random_bytes($ivLength);
+        $tag        = '';
+        $encodedAad = json_encode($aad);
+        $encrypted  = openssl_encrypt($plaintext, $this->cipherMethod, $key, OPENSSL_RAW_DATA, $iv, $tag, $encodedAad, 16);
+        if (false === $encrypted) {
+            throw new EncryptionFailedException('Unable to encrypt secret.');
+        }
+
+        return base64_encode($iv . $tag . $encrypted);
+    }
+
+    /**
+     * @param array<array-key, mixed> $aad Additional authenticated data.
+     *
+     * @throws InvalidCiphertextException
+     * @throws DecryptionFailedException
+     */
+    public function decrypt(#[SensitiveParameter] string $ciphertext, #[SensitiveParameter] string $key, array $aad = []): string
+    {
+        $data = base64_decode($ciphertext, true);
+        if (false === $data) {
+            throw new InvalidCiphertextException('Invalid ciphertext.');
+        }
+
+        $ivLength  = openssl_cipher_iv_length($this->cipherMethod);
+        $tagLength = 16;
+        $iv         = substr($data, 0, $ivLength);
+        $tag        = substr($data, $ivLength, $tagLength);
+        $payload    = substr($data, $ivLength + $tagLength);
+        $encodedAad = json_encode($aad);
+        $decrypted  = openssl_decrypt($payload, $this->cipherMethod, $key, OPENSSL_RAW_DATA, $iv, $tag, $encodedAad);
+        if (false === $decrypted) {
+            throw new DecryptionFailedException('Unable to decrypt secret.');
+        }
+
+        return $decrypted;
+    }
+}
diff --git a/src/SonsOfPHP/Component/Vault/Exception/CipherException.php b/src/SonsOfPHP/Component/Vault/Exception/CipherException.php
new file mode 100644
index 00000000..8c01d298
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Exception/CipherException.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Exception;
+
+/**
+ * Base exception for cipher related failures.
+ */
+class CipherException extends VaultException {}
diff --git a/src/SonsOfPHP/Component/Vault/Exception/DecryptionFailedException.php b/src/SonsOfPHP/Component/Vault/Exception/DecryptionFailedException.php
new file mode 100644
index 00000000..2b4b610a
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Exception/DecryptionFailedException.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Exception;
+
+/**
+ * Thrown when a value cannot be decrypted.
+ */
+class DecryptionFailedException extends CipherException {}
diff --git a/src/SonsOfPHP/Component/Vault/Exception/EncryptionFailedException.php b/src/SonsOfPHP/Component/Vault/Exception/EncryptionFailedException.php
new file mode 100644
index 00000000..b12dc9e0
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Exception/EncryptionFailedException.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Exception;
+
+/**
+ * Thrown when a value cannot be encrypted.
+ */
+class EncryptionFailedException extends CipherException {}
diff --git a/src/SonsOfPHP/Component/Vault/Exception/InvalidCiphertextException.php b/src/SonsOfPHP/Component/Vault/Exception/InvalidCiphertextException.php
new file mode 100644
index 00000000..7283b8ce
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Exception/InvalidCiphertextException.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Exception;
+
+/**
+ * Thrown when ciphertext cannot be decoded before decryption.
+ */
+class InvalidCiphertextException extends CipherException {}
diff --git a/src/SonsOfPHP/Component/Vault/Exception/MarshallingException.php b/src/SonsOfPHP/Component/Vault/Exception/MarshallingException.php
new file mode 100644
index 00000000..4e96faa3
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Exception/MarshallingException.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Exception;
+
+/**
+ * Thrown when marshalling or unmarshalling secret data fails.
+ */
+class MarshallingException extends VaultException {}
diff --git a/src/SonsOfPHP/Component/Vault/Exception/SecretStorageCorruptedException.php b/src/SonsOfPHP/Component/Vault/Exception/SecretStorageCorruptedException.php
new file mode 100644
index 00000000..6750980f
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Exception/SecretStorageCorruptedException.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Exception;
+
+/**
+ * Thrown when the stored secret data is malformed or corrupted.
+ */
+class SecretStorageCorruptedException extends VaultException {}
diff --git a/src/SonsOfPHP/Component/Vault/Exception/UnknownKeyException.php b/src/SonsOfPHP/Component/Vault/Exception/UnknownKeyException.php
new file mode 100644
index 00000000..8772540b
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Exception/UnknownKeyException.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Exception;
+
+/**
+ * Thrown when a key cannot be found in the key ring.
+ */
+class UnknownKeyException extends VaultException {}
diff --git a/src/SonsOfPHP/Component/Vault/Exception/VaultException.php b/src/SonsOfPHP/Component/Vault/Exception/VaultException.php
new file mode 100644
index 00000000..ed18055c
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Exception/VaultException.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Exception;
+
+use RuntimeException;
+
+/**
+ * Base exception for the Vault component.
+ */
+class VaultException extends RuntimeException {}
diff --git a/src/SonsOfPHP/Component/Vault/KeyRing/InMemoryKeyRing.php b/src/SonsOfPHP/Component/Vault/KeyRing/InMemoryKeyRing.php
new file mode 100644
index 00000000..3981ef09
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/KeyRing/InMemoryKeyRing.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\KeyRing;
+
+use SensitiveParameter;
+
+/**
+ * Simple key ring that keeps keys in memory.
+ */
+class InMemoryKeyRing implements KeyRingInterface
+{
+    /**
+     * @param array<string, string> $keys Map of key IDs to keys.
+     * @param string                $currentKeyId Identifier of the active key.
+     */
+    public function __construct(private array $keys, private string $currentKeyId) {}
+
+    public function getCurrentKeyId(): string
+    {
+        return $this->currentKeyId;
+    }
+
+    public function getCurrentKey(): string
+    {
+        return $this->keys[$this->currentKeyId];
+    }
+
+    public function getKey(string $keyId): ?string
+    {
+        return $this->keys[$keyId] ?? null;
+    }
+
+    public function rotate(string $keyId, #[SensitiveParameter] string $key): void
+    {
+        $this->keys[$keyId] = $key;
+        $this->currentKeyId = $keyId;
+    }
+}
diff --git a/src/SonsOfPHP/Component/Vault/KeyRing/KeyRingInterface.php b/src/SonsOfPHP/Component/Vault/KeyRing/KeyRingInterface.php
new file mode 100644
index 00000000..e779e013
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/KeyRing/KeyRingInterface.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\KeyRing;
+
+use SensitiveParameter;
+
+/**
+ * Manages encryption keys and their versions.
+ */
+interface KeyRingInterface
+{
+    /**
+     * Returns the identifier for the current key.
+     */
+    public function getCurrentKeyId(): string;
+
+    /**
+     * Returns the current encryption key.
+     */
+    public function getCurrentKey(): string;
+
+    /**
+     * Fetches a key by its identifier or null if missing.
+     */
+    public function getKey(string $keyId): ?string;
+
+    /**
+     * Rotates to a new key and sets it as current.
+     */
+    public function rotate(string $keyId, #[SensitiveParameter] string $key): void;
+}
diff --git a/src/SonsOfPHP/Component/Vault/LICENSE b/src/SonsOfPHP/Component/Vault/LICENSE
new file mode 100644
index 00000000..39238382
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/LICENSE
@@ -0,0 +1,19 @@
+Copyright 2022 to Present Joshua Estes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/src/SonsOfPHP/Component/Vault/Marshaller/JsonMarshaller.php b/src/SonsOfPHP/Component/Vault/Marshaller/JsonMarshaller.php
new file mode 100644
index 00000000..1324d92f
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Marshaller/JsonMarshaller.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Marshaller;
+
+use JsonException;
+use SonsOfPHP\Component\Vault\Exception\MarshallingException;
+
+/**
+ * Serializes values using JSON.
+ */
+final class JsonMarshaller implements MarshallerInterface
+{
+    public function marshall(mixed $value): string
+    {
+        try {
+            return json_encode($value, JSON_THROW_ON_ERROR);
+        } catch (JsonException $jsonException) {
+            throw new MarshallingException('Unable to encode value.', 0, $jsonException);
+        }
+    }
+
+    public function unmarshall(string $value): mixed
+    {
+        try {
+            return json_decode($value, true, 512, JSON_THROW_ON_ERROR);
+        } catch (JsonException $jsonException) {
+            throw new MarshallingException('Unable to decode value.', 0, $jsonException);
+        }
+    }
+}
diff --git a/src/SonsOfPHP/Component/Vault/Marshaller/MarshallerInterface.php b/src/SonsOfPHP/Component/Vault/Marshaller/MarshallerInterface.php
new file mode 100644
index 00000000..2656852d
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Marshaller/MarshallerInterface.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Marshaller;
+
+use SonsOfPHP\Component\Vault\Exception\MarshallingException;
+
+/**
+ * Marshals PHP values to and from storable strings.
+ */
+interface MarshallerInterface
+{
+    /**
+     * Converts a PHP value to a string for storage.
+     */
+    public function marshall(mixed $value): string;
+
+    /**
+     * Restores a PHP value from stored data.
+     *
+     * @throws MarshallingException
+     */
+    public function unmarshall(string $value): mixed;
+}
diff --git a/src/SonsOfPHP/Component/Vault/README.md b/src/SonsOfPHP/Component/Vault/README.md
new file mode 100644
index 00000000..15561d37
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/README.md
@@ -0,0 +1,18 @@
+Sons of PHP - Vault
+===================
+
+Secure secret storage with pluggable backends, key rotation, secret versioning, customizable marshallers, and support for additional authenticated data.
+
+## Learn More
+
+* [Documentation][docs]
+* [Contributing][contributing]
+* [Report Issues][issues] and [Submit Pull Requests][pull-requests] in the [Mother Repository][mother-repo]
+* Get Help & Support using [Discussions][discussions]
+
+[discussions]: https://github.com/orgs/SonsOfPHP/discussions
+[mother-repo]: https://github.com/SonsOfPHP/sonsofphp
+[contributing]: https://docs.sonsofphp.com/contributing/
+[docs]: https://docs.sonsofphp.com/components/vault/
+[issues]: https://github.com/SonsOfPHP/sonsofphp/issues?q=is%3Aopen+is%3Aissue+label%3AVault
+[pull-requests]: https://github.com/SonsOfPHP/sonsofphp/pulls?q=is%3Aopen+is%3Apr+label%3AVault
diff --git a/src/SonsOfPHP/Component/Vault/ROADMAP.md b/src/SonsOfPHP/Component/Vault/ROADMAP.md
new file mode 100644
index 00000000..b3971e99
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/ROADMAP.md
@@ -0,0 +1,38 @@
+# Vault Component Roadmap
+
+## Upcoming Features
+
+### Add filesystem storage adapter
+- [ ] Implementation uses encrypted files to persist secrets.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - Filesystem adapter securely reads and writes secrets.
+  - Implementation meets the Global DoD.
+
+### Add database storage adapter
+- [ ] Store secrets in a relational database using PDO.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - Secrets are encrypted before storage.
+  - Implementation meets the Global DoD.
+
+### Add Redis storage adapter
+- [ ] Store secrets in Redis for fast access.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - Redis adapter encrypts secrets and handles expirations.
+  - Implementation meets the Global DoD.
+
+### Provide CLI tools for managing secrets
+- [ ] Expose commands to set, get, and rotate secrets.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - CLI allows basic secret management tasks.
+  - Implementation meets the Global DoD.
+
+### Add Symfony Serializer marshaller
+- [ ] Support complex object graphs using Symfony's Serializer component.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - Marshaller encodes and decodes objects using Symfony Serializer.
+  - Implementation meets the Global DoD.
diff --git a/src/SonsOfPHP/Component/Vault/Storage/InMemoryStorage.php b/src/SonsOfPHP/Component/Vault/Storage/InMemoryStorage.php
new file mode 100644
index 00000000..8089992d
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Storage/InMemoryStorage.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Storage;
+
+/**
+ * Simple in-memory storage for secrets.
+ */
+class InMemoryStorage implements StorageInterface
+{
+    /**
+     * @var array<string, string>
+     */
+    private array $secrets = [];
+
+    public function set(string $name, string $value): void
+    {
+        $this->secrets[$name] = $value;
+    }
+
+    public function get(string $name): ?string
+    {
+        return $this->secrets[$name] ?? null;
+    }
+
+    public function delete(string $name): void
+    {
+        unset($this->secrets[$name]);
+    }
+}
diff --git a/src/SonsOfPHP/Component/Vault/Storage/StorageInterface.php b/src/SonsOfPHP/Component/Vault/Storage/StorageInterface.php
new file mode 100644
index 00000000..6db80c28
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Storage/StorageInterface.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Storage;
+
+/**
+ * Defines methods for persisting secrets.
+ */
+interface StorageInterface
+{
+    /**
+     * Stores an encrypted secret.
+     */
+    public function set(string $name, string $value): void;
+
+    /**
+     * Retrieves an encrypted secret or null if it does not exist.
+     */
+    public function get(string $name): ?string;
+
+    /**
+     * Deletes a secret.
+     */
+    public function delete(string $name): void;
+}
diff --git a/src/SonsOfPHP/Component/Vault/Tests/VaultTest.php b/src/SonsOfPHP/Component/Vault/Tests/VaultTest.php
new file mode 100644
index 00000000..29f7113a
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Tests/VaultTest.php
@@ -0,0 +1,134 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Tests;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\TestCase;
+use SonsOfPHP\Component\Vault\Cipher\OpenSSLCipher;
+use SonsOfPHP\Component\Vault\Exception\DecryptionFailedException;
+use SonsOfPHP\Component\Vault\Exception\UnknownKeyException;
+use SonsOfPHP\Component\Vault\KeyRing\InMemoryKeyRing;
+use SonsOfPHP\Component\Vault\Marshaller\JsonMarshaller;
+use SonsOfPHP\Component\Vault\Storage\InMemoryStorage;
+use SonsOfPHP\Component\Vault\Vault;
+
+#[CoversClass(Vault::class)]
+class VaultTest extends TestCase
+{
+    /**
+     * Creates a vault instance for testing.
+     */
+    private function createVault(?InMemoryStorage &$storage = null): Vault
+    {
+        $storage    ??= new InMemoryStorage();
+        $cipher      = new OpenSSLCipher();
+        $keyRing     = new InMemoryKeyRing(['v1' => 'test_encryption_key_32_bytes!'], 'v1');
+        $marshaller  = new JsonMarshaller();
+
+        return new Vault($storage, $cipher, $keyRing, $marshaller);
+    }
+
+    public function testSecretCanBeRetrieved(): void
+    {
+        $vault = $this->createVault();
+        $vault->set('db_password', 'secret');
+
+        $this->assertSame('secret', $vault->get('db_password'));
+    }
+
+    public function testGetReturnsNullWhenSecretIsMissing(): void
+    {
+        $vault = $this->createVault();
+
+        $this->assertNull($vault->get('missing'));
+    }
+
+    public function testSecretCanBeDeleted(): void
+    {
+        $vault = $this->createVault();
+        $vault->set('api_key', 'secret');
+        $vault->delete('api_key');
+
+        $this->assertNull($vault->get('api_key'));
+    }
+
+    public function testSetAndGetWithArray(): void
+    {
+        $vault = $this->createVault();
+        $vault->set('config', ['user' => 'root']);
+
+        $this->assertSame(['user' => 'root'], $vault->get('config'));
+    }
+
+    public function testSetAndGetWithAad(): void
+    {
+        $vault = $this->createVault();
+        $vault->set('token', 'secret', ['aad']);
+
+        $this->assertSame('secret', $vault->get('token', ['aad']));
+    }
+
+    public function testGetThrowsWhenAadDoesNotMatch(): void
+    {
+        $vault = $this->createVault();
+        $vault->set('token', 'secret', ['aad']);
+
+        $this->expectException(DecryptionFailedException::class);
+        $vault->get('token', ['bad']);
+    }
+
+    public function testSecretsEncryptedBeforeRotationAreStillAccessible(): void
+    {
+        $vault = $this->createVault();
+        $vault->set('legacy', 'secret');
+        $vault->rotateKey('v2', 'another_32_byte_encryption_key!!');
+
+        $this->assertSame('secret', $vault->get('legacy'));
+    }
+
+    public function testRotateKeyChangesActiveKey(): void
+    {
+        $storage = new InMemoryStorage();
+        $vault   = $this->createVault($storage);
+        $vault->rotateKey('v2', 'another_32_byte_encryption_key!!');
+        $vault->set('current', 'secret');
+
+        $stored   = $storage->get('current');
+        $versions = json_decode((string) $stored, true, 512, JSON_THROW_ON_ERROR);
+        $this->assertStringStartsWith('v2:', $versions['1']);
+    }
+
+    public function testGetReturnsLatestVersion(): void
+    {
+        $vault = $this->createVault();
+        $vault->set('name', 'first');
+        $vault->set('name', 'second');
+
+        $this->assertSame('second', $vault->get('name'));
+    }
+
+    public function testSpecificVersionCanBeRetrieved(): void
+    {
+        $vault = $this->createVault();
+        $vault->set('name', 'first');
+        $vault->set('name', 'second');
+
+        $this->assertSame('first', $vault->get('name', [], 1));
+    }
+
+    public function testGetThrowsWhenKeyIsUnknown(): void
+    {
+        $storage = new InMemoryStorage();
+        $vault   = $this->createVault($storage);
+        $vault->set('secret', 'value');
+
+        $otherKeyRing = new InMemoryKeyRing(['v2' => 'another_32_byte_encryption_key!!'], 'v2');
+        $marshaller   = new JsonMarshaller();
+        $otherVault   = new Vault($storage, new OpenSSLCipher(), $otherKeyRing, $marshaller);
+
+        $this->expectException(UnknownKeyException::class);
+        $otherVault->get('secret');
+    }
+}
diff --git a/src/SonsOfPHP/Component/Vault/Vault.php b/src/SonsOfPHP/Component/Vault/Vault.php
new file mode 100644
index 00000000..626bbff4
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/Vault.php
@@ -0,0 +1,135 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault;
+
+use JsonException;
+use SensitiveParameter;
+use SonsOfPHP\Component\Vault\Cipher\CipherInterface;
+use SonsOfPHP\Component\Vault\Exception\MarshallingException;
+use SonsOfPHP\Component\Vault\Exception\SecretStorageCorruptedException;
+use SonsOfPHP\Component\Vault\Exception\UnknownKeyException;
+use SonsOfPHP\Component\Vault\KeyRing\KeyRingInterface;
+use SonsOfPHP\Component\Vault\Marshaller\MarshallerInterface;
+use SonsOfPHP\Component\Vault\Storage\StorageInterface;
+
+/**
+ * Vault stores encrypted secrets using a pluggable storage backend with
+ * support for additional authenticated data and key rotation.
+ */
+class Vault
+{
+    /**
+     * @param StorageInterface   $storage    The storage backend.
+     * @param CipherInterface    $cipher     The cipher used for encryption.
+     * @param KeyRingInterface   $keyRing    Provides access to encryption keys.
+     * @param MarshallerInterface $marshaller Converts secrets to storable strings.
+     */
+    public function __construct(private readonly StorageInterface $storage, private readonly CipherInterface $cipher, private readonly KeyRingInterface $keyRing, private readonly MarshallerInterface $marshaller) {}
+
+    /**
+     * Stores a secret in the vault.
+     *
+     * @param string                  $name   Identifier of the secret.
+     * @param mixed                   $secret The secret to store.
+     * @param array<array-key, mixed> $aad    Additional authenticated data.
+     *
+     * @throws MarshallingException
+     * @throws SecretStorageCorruptedException
+     */
+    public function set(string $name, #[SensitiveParameter] mixed $secret, array $aad = []): void
+    {
+        $encoded   = $this->marshaller->marshall($secret);
+        $key       = $this->keyRing->getCurrentKey();
+        $encrypted = $this->cipher->encrypt($encoded, $key, $aad);
+
+        $record = $this->storage->get($name);
+        if (null === $record) {
+            $versions = [];
+        } else {
+            try {
+                $versions = json_decode($record, true, 512, JSON_THROW_ON_ERROR);
+            } catch (JsonException $e) {
+                throw new SecretStorageCorruptedException('Invalid secret storage format.', 0, $e);
+            }
+
+            if (!is_array($versions)) {
+                throw new SecretStorageCorruptedException('Invalid secret storage format.');
+            }
+        }
+
+        $version                     = $versions === [] ? 1 : max(array_map('intval', array_keys($versions))) + 1;
+        $versions[(string) $version] = $this->keyRing->getCurrentKeyId() . ':' . $encrypted;
+        $this->storage->set($name, json_encode($versions, JSON_THROW_ON_ERROR));
+    }
+
+    /**
+     * Retrieves a secret from the vault or null if it does not exist.
+     *
+     * @param string                  $name    Identifier of the secret.
+     * @param array<array-key, mixed> $aad     Additional authenticated data.
+     * @param int|null                $version Specific version to retrieve or null for latest.
+     *
+     * @return mixed|null
+     *
+     * @throws MarshallingException
+     * @throws SecretStorageCorruptedException
+     * @throws UnknownKeyException
+     */
+    public function get(string $name, array $aad = [], ?int $version = null): mixed
+    {
+        $record = $this->storage->get($name);
+        if (null === $record) {
+            return null;
+        }
+
+        try {
+            $versions = json_decode($record, true, 512, JSON_THROW_ON_ERROR);
+        } catch (JsonException $jsonException) {
+            throw new SecretStorageCorruptedException('Invalid secret storage format.', 0, $jsonException);
+        }
+
+        if (!is_array($versions)) {
+            throw new SecretStorageCorruptedException('Invalid secret storage format.');
+        }
+
+        if (null === $version) {
+            $version = (int) max(array_map('intval', array_keys($versions)));
+        }
+
+        $entry = $versions[(string) $version] ?? null;
+        if (null === $entry) {
+            return null;
+        }
+
+        [$keyId, $ciphertext] = explode(':', (string) $entry, 2);
+        $key                   = $this->keyRing->getKey($keyId);
+        if (null === $key) {
+            throw new UnknownKeyException(sprintf('Unknown key identifier "%s".', $keyId));
+        }
+
+        $encoded = $this->cipher->decrypt($ciphertext, $key, $aad);
+
+        return $this->marshaller->unmarshall($encoded);
+    }
+
+    /**
+     * Removes a secret from the vault.
+     */
+    public function delete(string $name): void
+    {
+        $this->storage->delete($name);
+    }
+
+    /**
+     * Rotates the active encryption key.
+     *
+     * @param string $keyId Identifier for the new key.
+     * @param string $key   The new encryption key.
+     */
+    public function rotateKey(string $keyId, #[SensitiveParameter] string $key): void
+    {
+        $this->keyRing->rotate($keyId, $key);
+    }
+}
diff --git a/src/SonsOfPHP/Component/Vault/composer.json b/src/SonsOfPHP/Component/Vault/composer.json
new file mode 100644
index 00000000..467ded5a
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/composer.json
@@ -0,0 +1,58 @@
+{
+    "name": "sonsofphp/vault",
+    "type": "library",
+    "description": "Secure secret storage for PHP applications",
+    "keywords": [
+        "vault",
+        "secret",
+        "encryption"
+    ],
+    "homepage": "https://github.com/SonsOfPHP/vault",
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "Sons of PHP Community",
+            "homepage": "https://github.com/SonsOfPHP/sonsofphp/graphs/contributors"
+        },
+        {
+            "name": "Joshua Estes",
+            "email": "joshua@sonsofphp.com"
+        }
+    ],
+    "support": {
+        "issues": "https://github.com/SonsOfPHP/sonsofphp/issues",
+        "forum": "https://github.com/orgs/SonsOfPHP/discussions",
+        "docs": "https://docs.sonsofphp.com"
+    },
+    "autoload": {
+        "psr-4": {
+            "SonsOfPHP\\Component\\Vault\\": ""
+        },
+        "exclude-from-classmap": [
+            "/Tests/"
+        ]
+    },
+    "minimum-stability": "dev",
+    "prefer-stable": true,
+    "require": {
+        "php": ">=8.3",
+        "ext-json": "*",
+        "ext-openssl": "*"
+    },
+    "extra": {
+        "sort-packages": true,
+        "branch-alias": {
+            "dev-main": "0.3.x-dev"
+        }
+    },
+    "funding": [
+        {
+            "type": "github",
+            "url": "https://github.com/sponsors/JoshuaEstes"
+        },
+        {
+            "type": "tidelift",
+            "url": "https://tidelift.com/subscription/pkg/packagist-sonsofphp-sonsofphp"
+        }
+    ]
+}
diff --git a/src/SonsOfPHP/Component/Vault/phpunit.xml.dist b/src/SonsOfPHP/Component/Vault/phpunit.xml.dist
new file mode 100644
index 00000000..3357cf7c
--- /dev/null
+++ b/src/SonsOfPHP/Component/Vault/phpunit.xml.dist
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.3/phpunit.xsd"
+    backupGlobals="false"
+    colors="true"
+    bootstrap="vendor/autoload.php"
+    failOnRisky="true"
+    failOnWarning="true"
+>
+
+  <php>
+    <ini name="error_reporting" value="-1" />
+  </php>
+
+    <testsuites>
+        <testsuite name="vault">
+            <directory>./Tests/</directory>
+        </testsuite>
+    </testsuites>
+
+  <source>
+      <include>
+          <directory>.</directory>
+      </include>
+      <exclude>
+          <directory>./Tests</directory>
+          <directory>./vendor</directory>
+      </exclude>
+  </source>
+</phpunit>