diff --git a/home/hosts/work/default.nix b/home/hosts/work/default.nix
index 50201cc..4bef19d 100644
--- a/home/hosts/work/default.nix
+++ b/home/hosts/work/default.nix
@@ -28,6 +28,7 @@ in
     ../../modules/kitty.nix
     ../../modules/nvim.nix
     ../../modules/pandoc.nix
+    ../../modules/secrets
     ../../modules/browser
     ../../modules/shell
     ../../modules/music
@@ -99,6 +100,10 @@ in
   github.enable = true;
   gitlab.enable = true;
   pandoc.enable = true;
+  secrets = {
+    enable = true;
+    vault.enable = true;
+  };
 
   shell.bash.enable = true;
   starship.enable = true;
diff --git a/home/modules/secrets/default.nix b/home/modules/secrets/default.nix
new file mode 100644
index 0000000..6840ff4
--- /dev/null
+++ b/home/modules/secrets/default.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.secrets = {
+    enable = lib.mkEnableOption "secrets";
+  };
+
+  imports = [ ./vault.nix ];
+
+  config = lib.mkIf config.secrets.enable {
+    home.packages = with pkgs; [
+      sops
+      age
+    ];
+  };
+}
diff --git a/home/modules/secrets/vault.nix b/home/modules/secrets/vault.nix
new file mode 100644
index 0000000..2b79f15
--- /dev/null
+++ b/home/modules/secrets/vault.nix
@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  options.secrets.vault = {
+    enable = lib.mkEnableOption "vault CLI";
+  };
+
+  config = lib.mkIf config.secrets.vault.enable {
+    home.packages = with pkgs; [ vault-bin ];
+  };
+}