diff --git a/src/ScadaLink.Transport/Encryption/BundleSecretEncryptor.cs b/src/ScadaLink.Transport/Encryption/BundleSecretEncryptor.cs
new file mode 100644
index 0000000..23dc769
--- /dev/null
+++ b/src/ScadaLink.Transport/Encryption/BundleSecretEncryptor.cs
@@ -0,0 +1,76 @@
+using System.Security.Cryptography;
+using ScadaLink.Commons.Types.Transport;
+
+namespace ScadaLink.Transport.Encryption;
+
+///
+/// AES-256-GCM authenticated encryption with a PBKDF2-SHA256 derived key.
+/// Output format is ciphertext || tag (tag is the GCM authentication tag).
+/// Each encrypt call produces a fresh random salt + nonce so re-encrypting the
+/// same plaintext yields a different ciphertext.
+///
+public sealed class BundleSecretEncryptor
+{
+ private const int KeyBytes = 32; // AES-256.
+ private const int SaltBytes = 16;
+ private const int NonceBytes = 12; // GCM standard.
+ private const int TagBytes = 16;
+
+ public (byte[] Ciphertext, EncryptionMetadata Metadata) Encrypt(
+ ReadOnlySpan plaintext,
+ string passphrase,
+ int iterations)
+ {
+ var salt = RandomNumberGenerator.GetBytes(SaltBytes);
+ var nonce = RandomNumberGenerator.GetBytes(NonceBytes);
+ var key = DeriveKey(passphrase, salt, iterations);
+
+ var ciphertext = new byte[plaintext.Length];
+ var tag = new byte[TagBytes];
+ using var aes = new AesGcm(key, TagBytes);
+ aes.Encrypt(nonce, plaintext, ciphertext, tag);
+
+ // Format: ciphertext || tag.
+ var output = new byte[ciphertext.Length + TagBytes];
+ Buffer.BlockCopy(ciphertext, 0, output, 0, ciphertext.Length);
+ Buffer.BlockCopy(tag, 0, output, ciphertext.Length, TagBytes);
+
+ return (output, new EncryptionMetadata(
+ "AES-256-GCM", "PBKDF2-SHA256", iterations,
+ Convert.ToBase64String(salt),
+ Convert.ToBase64String(nonce)));
+ }
+
+ public byte[] Decrypt(ReadOnlySpan payload, EncryptionMetadata metadata, string passphrase)
+ {
+ ArgumentNullException.ThrowIfNull(metadata);
+
+ if (metadata.Algorithm != "AES-256-GCM" || metadata.Kdf != "PBKDF2-SHA256")
+ {
+ throw new CryptographicException("Unsupported bundle encryption parameters.");
+ }
+
+ var salt = Convert.FromBase64String(metadata.SaltB64);
+ var nonce = Convert.FromBase64String(metadata.IvB64);
+ var key = DeriveKey(passphrase, salt, metadata.Iterations);
+
+ if (payload.Length < TagBytes)
+ {
+ throw new CryptographicException("Bundle payload too short.");
+ }
+
+ var ctLen = payload.Length - TagBytes;
+ var ciphertext = payload[..ctLen];
+ var tag = payload[ctLen..];
+
+ var plaintext = new byte[ctLen];
+ using var aes = new AesGcm(key, TagBytes);
+ aes.Decrypt(nonce, ciphertext, tag, plaintext);
+ return plaintext;
+ }
+
+ private static byte[] DeriveKey(string passphrase, byte[] salt, int iterations)
+ {
+ return Rfc2898DeriveBytes.Pbkdf2(passphrase, salt, iterations, HashAlgorithmName.SHA256, KeyBytes);
+ }
+}
diff --git a/tests/ScadaLink.Transport.Tests/Encryption/BundleSecretEncryptorTests.cs b/tests/ScadaLink.Transport.Tests/Encryption/BundleSecretEncryptorTests.cs
new file mode 100644
index 0000000..e01ff96
--- /dev/null
+++ b/tests/ScadaLink.Transport.Tests/Encryption/BundleSecretEncryptorTests.cs
@@ -0,0 +1,78 @@
+using System.Security.Cryptography;
+using System.Text;
+using ScadaLink.Transport.Encryption;
+
+namespace ScadaLink.Transport.Tests.Encryption;
+
+public sealed class BundleSecretEncryptorTests
+{
+ private const int TestIterations = 10_000; // Lower than production for test speed.
+
+ [Fact]
+ public void Encrypt_then_Decrypt_roundtrips_arbitrary_bytes()
+ {
+ var sut = new BundleSecretEncryptor();
+ var plaintext = Encoding.UTF8.GetBytes("the quick brown fox jumps over the lazy dog");
+
+ var (ciphertext, metadata) = sut.Encrypt(plaintext, "correct-horse-battery-staple", TestIterations);
+ var recovered = sut.Decrypt(ciphertext, metadata, "correct-horse-battery-staple");
+
+ Assert.Equal(plaintext, recovered);
+ }
+
+ [Fact]
+ public void Decrypt_with_wrong_passphrase_throws_CryptographicException()
+ {
+ var sut = new BundleSecretEncryptor();
+ var plaintext = Encoding.UTF8.GetBytes("secret payload");
+
+ var (ciphertext, metadata) = sut.Encrypt(plaintext, "right-pass", TestIterations);
+
+ Assert.ThrowsAny(() => sut.Decrypt(ciphertext, metadata, "wrong-pass"));
+ }
+
+ [Fact]
+ public void Decrypt_with_tampered_ciphertext_throws_CryptographicException()
+ {
+ var sut = new BundleSecretEncryptor();
+ var plaintext = Encoding.UTF8.GetBytes("secret payload");
+
+ var (ciphertext, metadata) = sut.Encrypt(plaintext, "pass", TestIterations);
+ ciphertext[0] ^= 0xFF; // Flip every bit in the first ciphertext byte.
+
+ Assert.ThrowsAny(() => sut.Decrypt(ciphertext, metadata, "pass"));
+ }
+
+ [Fact]
+ public void Encrypt_produces_distinct_ciphertext_for_same_input_due_to_random_iv()
+ {
+ var sut = new BundleSecretEncryptor();
+ var plaintext = Encoding.UTF8.GetBytes("same input");
+
+ var (ct1, meta1) = sut.Encrypt(plaintext, "pass", TestIterations);
+ var (ct2, meta2) = sut.Encrypt(plaintext, "pass", TestIterations);
+
+ Assert.NotEqual(ct1, ct2);
+ Assert.NotEqual(meta1.IvB64, meta2.IvB64);
+ Assert.NotEqual(meta1.SaltB64, meta2.SaltB64);
+ }
+
+ [Fact]
+ public void Encrypt_emits_metadata_matching_decryption_inputs()
+ {
+ var sut = new BundleSecretEncryptor();
+ var plaintext = Encoding.UTF8.GetBytes("payload");
+
+ var (ciphertext, metadata) = sut.Encrypt(plaintext, "pass", TestIterations);
+
+ Assert.Equal("AES-256-GCM", metadata.Algorithm);
+ Assert.Equal("PBKDF2-SHA256", metadata.Kdf);
+ Assert.Equal(TestIterations, metadata.Iterations);
+ // Salt is 16 bytes (24 chars b64 incl padding), Iv is 12 bytes (16 chars b64 incl padding).
+ Assert.Equal(16, Convert.FromBase64String(metadata.SaltB64).Length);
+ Assert.Equal(12, Convert.FromBase64String(metadata.IvB64).Length);
+
+ var recovered = sut.Decrypt(ciphertext, metadata, "pass");
+ Assert.Equal(plaintext, recovered);
+ }
+}