diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+## Unreleased
+
+### Added
+
+* `Sized` byte arrays
+* `Secretbox`
diff --git a/LICENSES/MPL-2.0.txt b/LICENSES/MPL-2.0.txt
new file mode 100644
--- /dev/null
+++ b/LICENSES/MPL-2.0.txt
@@ -0,0 +1,312 @@
+Mozilla Public License Version 2.0
+
+   1. Definitions
+
+1.1. "Contributor" means each individual or legal entity that creates, contributes
+to the creation of, or owns Covered Software.
+
+1.2. "Contributor Version" means the combination of the Contributions of others
+(if any) used by a Contributor and that particular Contributor's Contribution.
+
+      1.3. "Contribution" means Covered Software of a particular Contributor.
+
+1.4. "Covered Software" means Source Code Form to which the initial Contributor
+has attached the notice in Exhibit A, the Executable Form of such Source Code
+Form, and Modifications of such Source Code Form, in each case including portions
+thereof.
+
+      1.5. "Incompatible With Secondary Licenses" means
+
+(a) that the initial Contributor has attached the notice described in Exhibit
+B to the Covered Software; or
+
+(b) that the Covered Software was made available under the terms of version
+1.1 or earlier of the License, but not also under the terms of a Secondary
+License.
+
+1.6. "Executable Form" means any form of the work other than Source Code Form.
+
+1.7. "Larger Work" means a work that combines Covered Software with other
+material, in a separate file or files, that is not Covered Software.
+
+      1.8. "License" means this document.
+
+1.9. "Licensable" means having the right to grant, to the maximum extent possible,
+whether at the time of the initial grant or subsequently, any and all of the
+rights conveyed by this License.
+
+      1.10. "Modifications" means any of the following:
+
+(a) any file in Source Code Form that results from an addition to, deletion
+from, or modification of the contents of Covered Software; or
+
+(b) any new file in Source Code Form that contains any Covered Software.
+
+1.11. "Patent Claims" of a Contributor means any patent claim(s), including
+without limitation, method, process, and apparatus claims, in any patent Licensable
+by such Contributor that would be infringed, but for the grant of the License,
+by the making, using, selling, offering for sale, having made, import, or
+transfer of either its Contributions or its Contributor Version.
+
+1.12. "Secondary License" means either the GNU General Public License, Version
+2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General
+Public License, Version 3.0, or any later versions of those licenses.
+
+1.13. "Source Code Form" means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your") means an individual or a legal entity exercising rights
+under this License. For legal entities, "You" includes any entity that controls,
+is controlled by, or is under common control with You. For purposes of this
+definition, "control" means (a) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or otherwise,
+or (b) ownership of more than fifty percent (50%) of the outstanding shares
+or beneficial ownership of such entity.
+
+   2. License Grants and Conditions
+
+      2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive
+license:
+
+(a) under intellectual property rights (other than patent or trademark) Licensable
+by such Contributor to use, reproduce, make available, modify, display, perform,
+distribute, and otherwise exploit its Contributions, either on an unmodified
+basis, with Modifications, or as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer for
+sale, have made, import, and otherwise transfer either its Contributions or
+its Contributor Version.
+
+      2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution become
+effective for each Contribution on the date the Contributor first distributes
+such Contribution.
+
+      2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under this
+License. No additional rights or licenses will be implied from the distribution
+or licensing of Covered Software under this License. Notwithstanding Section
+2.1(b) above, no patent license is granted by a Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software; or
+
+(b) for infringements caused by: (i) Your and any other third party's modifications
+of Covered Software, or (ii) the combination of its Contributions with other
+software (except as part of its Contributor Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of its
+Contributions.
+
+This License does not grant any rights in the trademarks, service marks, or
+logos of any Contributor (except as may be necessary to comply with the notice
+requirements in Section 3.4).
+
+      2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to distribute
+the Covered Software under a subsequent version of this License (see Section
+10.2) or under the terms of a Secondary License (if permitted under the terms
+of Section 3.3).
+
+      2.5. Representation
+
+Each Contributor represents that the Contributor believes its Contributions
+are its original creation(s) or it has sufficient rights to grant the rights
+to its Contributions conveyed by this License.
+
+      2.6. Fair Use
+
+This License is not intended to limit any rights You have under applicable
+copyright doctrines of fair use, fair dealing, or other equivalents.
+
+      2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+Section 2.1.
+
+   3. Responsibilities
+
+      3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any Modifications
+that You create or to which You contribute, must be under the terms of this
+License. You must inform recipients that the Source Code Form of the Covered
+Software is governed by the terms of this License, and how they can obtain
+a copy of this License. You may not attempt to alter or restrict the recipients'
+rights in the Source Code Form.
+
+      3.2. Distribution of Executable Form
+
+      If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code Form,
+as described in Section 3.1, and You must inform recipients of the Executable
+Form how they can obtain a copy of such Source Code Form by reasonable means
+in a timely manner, at a charge no more than the cost of distribution to the
+recipient; and
+
+(b) You may distribute such Executable Form under the terms of this License,
+or sublicense it under different terms, provided that the license for the
+Executable Form does not attempt to limit or alter the recipients' rights
+in the Source Code Form under this License.
+
+      3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice, provided
+that You also comply with the requirements of this License for the Covered
+Software. If the Larger Work is a combination of Covered Software with a work
+governed by one or more Secondary Licenses, and the Covered Software is not
+Incompatible With Secondary Licenses, this License permits You to additionally
+distribute such Covered Software under the terms of such Secondary License(s),
+so that the recipient of the Larger Work may, at their option, further distribute
+the Covered Software under the terms of either this License or such Secondary
+License(s).
+
+      3.4. Notices
+
+You may not remove or alter the substance of any license notices (including
+copyright notices, patent notices, disclaimers of warranty, or limitations
+of liability) contained within the Source Code Form of the Covered Software,
+except that You may alter any license notices to the extent required to remedy
+known factual inaccuracies.
+
+      3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support, indemnity
+or liability obligations to one or more recipients of Covered Software. However,
+You may do so only on Your own behalf, and not on behalf of any Contributor.
+You must make it absolutely clear that any such warranty, support, indemnity,
+or liability obligation is offered by You alone, and You hereby agree to indemnify
+every Contributor for any liability incurred by such Contributor as a result
+of warranty, support, indemnity or liability terms You offer. You may include
+additional disclaimers of warranty and limitations of liability specific to
+any jurisdiction.
+
+   4. Inability to Comply Due to Statute or Regulation
+
+If it is impossible for You to comply with any of the terms of this License
+with respect to some or all of the Covered Software due to statute, judicial
+order, or regulation then You must: (a) comply with the terms of this License
+to the maximum extent possible; and (b) describe the limitations and the code
+they affect. Such description must be placed in a text file included with
+all distributions of the Covered Software under this License. Except to the
+extent prohibited by statute or regulation, such description must be sufficiently
+detailed for a recipient of ordinary skill to be able to understand it.
+
+   5. Termination
+
+5.1. The rights granted under this License will terminate automatically if
+You fail to comply with any of its terms. However, if You become compliant,
+then the rights granted under this License from a particular Contributor are
+reinstated (a) provisionally, unless and until such Contributor explicitly
+and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor
+fails to notify You of the non-compliance by some reasonable means prior to
+60 days after You have come back into compliance. Moreover, Your grants from
+a particular Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the first
+time You have received notice of non-compliance with this License from such
+Contributor, and You become compliant prior to 30 days after Your receipt
+of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent infringement
+claim (excluding declaratory judgment actions, counter-claims, and cross-claims)
+alleging that a Contributor Version directly or indirectly infringes any patent,
+then the rights granted to You by any and all Contributors for the Covered
+Software under Section 2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end
+user license agreements (excluding distributors and resellers) which have
+been validly granted by You or Your distributors under this License prior
+to termination shall survive termination.
+
+   6. Disclaimer of Warranty
+
+Covered Software is provided under this License on an "as is" basis, without
+warranty of any kind, either expressed, implied, or statutory, including,
+without limitation, warranties that the Covered Software is free of defects,
+merchantable, fit for a particular purpose or non-infringing. The entire risk
+as to the quality and performance of the Covered Software is with You. Should
+any Covered Software prove defective in any respect, You (not any Contributor)
+assume the cost of any necessary servicing, repair, or correction. This disclaimer
+of warranty constitutes an essential part of this License. No use of any Covered
+Software is authorized under this License except under this disclaimer.
+
+   7. Limitation of Liability
+
+Under no circumstances and under no legal theory, whether tort (including
+negligence), contract, or otherwise, shall any Contributor, or anyone who
+distributes Covered Software as permitted above, be liable to You for any
+direct, indirect, special, incidental, or consequential damages of any character
+including, without limitation, damages for lost profits, loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all other commercial
+damages or losses, even if such party shall have been informed of the possibility
+of such damages. This limitation of liability shall not apply to liability
+for death or personal injury resulting from such party's negligence to the
+extent applicable law prohibits such limitation. Some jurisdictions do not
+allow the exclusion or limitation of incidental or consequential damages,
+so this exclusion and limitation may not apply to You.
+
+   8. Litigation
+
+Any litigation relating to this License may be brought only in the courts
+of a jurisdiction where the defendant maintains its principal place of business
+and such litigation shall be governed by laws of that jurisdiction, without
+reference to its conflict-of-law provisions. Nothing in this Section shall
+prevent a party's ability to bring cross-claims or counter-claims.
+
+   9. Miscellaneous
+
+This License represents the complete agreement concerning the subject matter
+hereof. If any provision of this License is held to be unenforceable, such
+provision shall be reformed only to the extent necessary to make it enforceable.
+Any law or regulation which provides that the language of a contract shall
+be construed against the drafter shall not be used to construe this License
+against a Contributor.
+
+   10. Versions of the License
+
+      10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section 10.3,
+no one other than the license steward has the right to modify or publish new
+versions of this License. Each version will be given a distinguishing version
+number.
+
+      10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version of
+the License under which You originally received the Covered Software, or under
+the terms of any subsequent version published by the license steward.
+
+      10.3. Modified Versions
+
+If you create software not governed by this License, and you want to create
+a new license for such software, you may create and use a modified version
+of this License if you rename the license and remove any references to the
+name of the license steward (except to note that such modified license differs
+from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With Secondary
+Licenses under the terms of this version of the License, the notice described
+in Exhibit B of this License must be attached. Exhibit A - Source Code Form
+License Notice
+
+This Source Code Form is subject to the terms of the Mozilla Public License,
+v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain
+one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file,
+then You may include the notice in a location (such as a LICENSE file in a
+relevant directory) where a recipient would be likely to look for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+
+This Source Code Form is "Incompatible With Secondary Licenses", as defined
+by the Mozilla Public License, v. 2.0.
diff --git a/NaCl.cabal b/NaCl.cabal
new file mode 100644
--- /dev/null
+++ b/NaCl.cabal
@@ -0,0 +1,83 @@
+cabal-version: 1.18
+
+-- This file has been generated from package.yaml by hpack version 0.33.0.
+--
+-- see: https://github.com/sol/hpack
+--
+-- hash: 9b302cb2a6e7e7082c3f24456d474ba10bf82a95d7943fac58e002b7ad793a28
+
+name:           NaCl
+version:        0.0.1.0
+synopsis:       Easy-and-safe-to-use library for cryptography
+description:    This library uses <https://libsodium.org Sodium> under the hood,
+                but only exposes the primitives that are part of the “classic” NaCl
+                interface. We believe, it is better to be paranoid than sorry.
+                .
+                __Note: this package is experimental and WIP.__
+                .
+                = Secret-key cryptography
+                .
+                  * Authenticated encryption: "Crypto.Secretbox"
+category:       Cryptography
+homepage:       https://github.com/serokell/haskell-nacl#readme
+bug-reports:    https://github.com/serokell/haskell-nacl/issues
+author:         Kirill Elagin <kirelagin@serokell.io>
+maintainer:     Kirill Elagin <kirelagin@serokell.io>
+copyright:      2020 Serokell
+license:        MPL-2.0
+license-file:   LICENSES/MPL-2.0.txt
+build-type:     Simple
+extra-doc-files:
+    CHANGELOG.md
+    README.md
+
+source-repository head
+  type: git
+  location: https://github.com/serokell/haskell-nacl
+
+library
+  exposed-modules:
+      Crypto.Secretbox
+      Crypto.Secretbox.Internal
+      Data.ByteArray.Sized
+      Data.ByteArray.Sized.Internal
+  other-modules:
+      Paths_NaCl
+  hs-source-dirs:
+      lib
+  default-extensions: DataKinds FlexibleContexts FlexibleInstances GeneralizedNewtypeDeriving KindSignatures MultiParamTypeClasses NumericUnderscores OverloadedStrings PolyKinds ScopedTypeVariables
+  ghc-options: -Wall -Wcompat -Wincomplete-record-updates -Wincomplete-uni-patterns -Wredundant-constraints
+  build-depends:
+      base >=4.10 && <4.15
+    , bytestring >=0.9 && <0.11
+    , gdp >=0.0.0.1 && <0.1
+    , libsodium >=1.0 && <2
+    , memory >=0.1 && <0.16
+    , safe-exceptions >=0.1 && <0.2
+    , text >=0.7 && <1.3
+  default-language: Haskell2010
+
+test-suite test
+  type: exitcode-stdio-1.0
+  main-is: Test.hs
+  other-modules:
+      Test.Crypto.Secretbox
+      Paths_NaCl
+  hs-source-dirs:
+      test
+  default-extensions: DataKinds FlexibleContexts FlexibleInstances GeneralizedNewtypeDeriving KindSignatures MultiParamTypeClasses NumericUnderscores OverloadedStrings PolyKinds ScopedTypeVariables
+  ghc-options: -Wall -Wcompat -Wincomplete-record-updates -Wincomplete-uni-patterns -Wredundant-constraints
+  build-tool-depends:
+      tasty-discover:tasty-discover
+  build-depends:
+      HUnit
+    , NaCl
+    , base >=4.10 && <4.15
+    , bytestring >=0.9 && <0.11
+    , hedgehog
+    , libsodium
+    , tasty
+    , tasty-hedgehog
+    , tasty-hunit
+    , text >=0.7 && <1.3
+  default-language: Haskell2010
diff --git a/README.md b/README.md
new file mode 100644
--- /dev/null
+++ b/README.md
@@ -0,0 +1,49 @@
+# NaCl (`haskell-NaCl`)
+
+Easy-and-safe-to-use library for cryptography.
+
+**Note: this package is experimental and WIP.**
+
+Cryptography is hard to do right and you should never try to implement it
+on your own, even if you have access to safe and secure cryptographic
+primitives. Luckily, D. J. Bernstein created [NaCl].
+
+NaCl was designed specifically to make it hard to use it incorrectly and
+thus save your from a disaster. It exposes high-level cryptographic
+algorithms with underlying implementations chosen for you, so you do not
+get flexibility, but you get security, which is more important.
+
+[Sodium] is a reimplementation of NaCl with the goal to make it more
+portable across different platforms. With time, it started providing
+not only the same interface as NaCl, the developers of Sodium decided
+to add new primitives too.
+
+Sodium is more portable, but some people are afraid of using it,
+and prefer to stick to NaCl. We agree that it is better to be
+paranoid than sorry. That is why, even though this library uses
+Sodium under the hood, it only exposes the primitives that
+are part of the “classic” NaCl interface.
+
+[NaCl]: https://nacl.cr.yp.to/
+[Sodium]: https://libsodium.org
+
+
+## Why not?
+
+
+## Use
+
+
+## Contributing
+
+If you encounter any issues when using this library or have improvement ideas,
+please open report in issue on GitHub. You are also very welcome to submit
+pull request, if you feel like doing so.
+
+
+## License
+
+[MPL-2.0] © [Serokell]
+
+[MPL-2.0]: https://spdx.org/licenses/MPL-2.0.html
+[Serokell]: https://serokell.io/
diff --git a/lib/Crypto/Secretbox.hs b/lib/Crypto/Secretbox.hs
new file mode 100644
--- /dev/null
+++ b/lib/Crypto/Secretbox.hs
@@ -0,0 +1,53 @@
+-- SPDX-FileCopyrightText: 2020 Serokell
+--
+-- SPDX-License-Identifier: MPL-2.0
+
+module Crypto.Secretbox
+  ( Key
+  , toKey
+
+  , Nonce
+  , toNonce
+
+  , create
+  , open
+  ) where
+
+import Data.ByteArray (ByteArray, ByteArrayAccess)
+import System.IO.Unsafe (unsafeDupablePerformIO)
+
+import Crypto.Secretbox.Internal (Key, Nonce, toKey, toNonce)
+
+import qualified Crypto.Secretbox.Internal as I
+
+
+-- | Encrypt a message.
+--
+-- Note: This function is similar to the C++ API of NaCl.
+-- That is, unlike @crypto_secretbox@ from the C API of NaCl,
+-- it does not require any special padding.
+create
+  ::  ( ByteArrayAccess key, ByteArrayAccess nonce
+      , ByteArrayAccess pt, ByteArray ct
+      )
+  => Key key  -- ^ Secret key
+  -> Nonce nonce  -- ^ Nonce
+  -> pt -- ^ Plaintext message
+  -> ct
+create key nonce msg = unsafeDupablePerformIO $ I.create key nonce msg
+
+
+-- | Decrypt a message.
+--
+-- Note: This function is similar to the C++ API of NaCl.
+-- That is, unlike @crypto_secretbox_open@ from the C API of NaCl,
+-- it does not require any special padding.
+open
+  ::  ( ByteArrayAccess key, ByteArrayAccess nonce
+      , ByteArray pt, ByteArrayAccess ct
+      )
+  => Key key  -- ^ Secret key
+  -> Nonce nonce  -- ^ Nonce
+  -> ct -- ^ Cyphertext
+  -> Maybe pt
+open key nonce ct = unsafeDupablePerformIO $ I.open key nonce ct
diff --git a/lib/Crypto/Secretbox/Internal.hs b/lib/Crypto/Secretbox/Internal.hs
new file mode 100644
--- /dev/null
+++ b/lib/Crypto/Secretbox/Internal.hs
@@ -0,0 +1,109 @@
+-- SPDX-FileCopyrightText: 2020 Serokell
+--
+-- SPDX-License-Identifier: MPL-2.0
+
+module Crypto.Secretbox.Internal
+  ( Key
+  , toKey
+
+  , Nonce
+  , toNonce
+
+  , create
+  , open
+  ) where
+
+import Prelude hiding (length)
+
+import Data.ByteArray (ByteArray, ByteArrayAccess, allocRet, length, withByteArray)
+
+import qualified Libsodium as Na
+
+import Data.ByteArray.Sized (OfLength, hasRightLength)
+
+
+-- | Encryption key that can be used for Secretbox.
+--
+-- This type is parametrised by the actual data type that contains
+-- bytes. This can be, for example, a @ByteString@, but, since this
+-- is a secret key, it is better to use @ScrubbedBytes@.
+type Key a = OfLength Na.CRYPTO_SECRETBOX_KEYBYTES a
+
+-- | Make a 'Key' from an arbitrary byte array.
+--
+-- This function returns @Just@ if and only if the byte array has
+-- the right length to be used as a key with a Secretbox.
+toKey :: ByteArrayAccess ba => ba -> Maybe (Key ba)
+toKey = hasRightLength
+
+
+-- | Nonce that can be used for Secretbox.
+--
+-- This type is parametrised by the actual data type that contains
+-- bytes. This can be, for example, a @ByteString@.
+type Nonce a = OfLength Na.CRYPTO_SECRETBOX_NONCEBYTES a
+
+-- | Make a 'Nonce' from an arbitrary byte array.
+--
+-- This function returns @Just@ if and only if the byte array has
+-- the right length to be used as a nonce with a Secretbox.
+toNonce :: ByteArrayAccess ba => ba -> Maybe (Nonce ba)
+toNonce = hasRightLength
+
+
+-- | Encrypt a message.
+create
+  ::  ( ByteArrayAccess key, ByteArrayAccess nonce
+      , ByteArrayAccess pt, ByteArray ct
+      )
+  => Key key  -- ^ Secret key
+  -> Nonce nonce  -- ^ Nonce
+  -> pt -- ^ Plaintext message
+  -> IO ct
+create key nonce msg = do
+    (_ret, ct) <-
+      allocRet clen $ \ctPtr ->
+      withByteArray key $ \keyPtr ->
+      withByteArray nonce $ \noncePtr ->
+      withByteArray msg $ \msgPtr -> do
+        -- TODO: Maybe, reimplement this without _easy, to stay closer
+        -- to the original NaCl.
+        Na.crypto_secretbox_easy ctPtr
+          msgPtr (fromIntegral $ length msg)
+          noncePtr
+          keyPtr
+    -- _ret can be only 0, so we don’t check it
+    pure ct
+  where
+    clen :: Int
+    clen = fromIntegral Na.crypto_secretbox_macbytes + length msg
+
+
+-- | Decrypt a message.
+open
+  ::  ( ByteArrayAccess key, ByteArrayAccess nonce
+      , ByteArray pt, ByteArrayAccess ct
+      )
+  => Key key  -- ^ Secret key
+  -> Nonce nonce  -- ^ Nonce
+  -> ct -- ^ Cyphertext
+  -> IO (Maybe pt)
+open key nonce ct = do
+    (ret, msg) <-
+      allocRet mlen $ \msgPtr ->
+      withByteArray key $ \keyPtr ->
+      withByteArray nonce $ \noncePtr ->
+      withByteArray ct $ \ctPtr -> do
+        -- TODO: Maybe, reimplement this without _easy, to stay closer
+        -- to the original NaCl.
+        Na.crypto_secretbox_open_easy msgPtr
+          ctPtr (fromIntegral $ length ct)
+          noncePtr
+          keyPtr
+    if ret == 0 then
+      pure $ Just msg
+    else
+      pure Nothing
+  where
+    mlen :: Int
+    mlen = length ct - fromIntegral Na.crypto_secretbox_macbytes
diff --git a/lib/Data/ByteArray/Sized.hs b/lib/Data/ByteArray/Sized.hs
new file mode 100644
--- /dev/null
+++ b/lib/Data/ByteArray/Sized.hs
@@ -0,0 +1,10 @@
+-- SPDX-FileCopyrightText: 2020 Serokell
+--
+-- SPDX-License-Identifier: MPL-2.0
+
+-- | 'ByteArray' with length known at compile time.
+module Data.ByteArray.Sized
+  ( module M
+  ) where
+
+import Data.ByteArray.Sized.Internal as M (OfLength, hasRightLength)
diff --git a/lib/Data/ByteArray/Sized/Internal.hs b/lib/Data/ByteArray/Sized/Internal.hs
new file mode 100644
--- /dev/null
+++ b/lib/Data/ByteArray/Sized/Internal.hs
@@ -0,0 +1,63 @@
+-- SPDX-FileCopyrightText: 2020 Serokell
+--
+-- SPDX-License-Identifier: MPL-2.0
+
+-- | 'ByteArray' with length known at compile time. Internal module.
+module Data.ByteArray.Sized.Internal
+  ( OfLength (..)
+  , hasRightLength
+
+  , allocRet
+  , alloc
+  ) where
+
+import Prelude hiding (length)
+
+import Data.Bifunctor (second)
+import Data.Proxy (Proxy (Proxy))
+import Data.The (The)
+import Foreign.Ptr (Ptr)
+import GHC.TypeLits (KnownNat, Nat, natVal)
+
+import Data.ByteArray (ByteArray, ByteArrayAccess, length)
+
+import qualified Data.ByteArray
+
+
+-- Type of byte arrays that have length @l@.
+newtype OfLength (l :: Nat) ba = OfLength ba
+  deriving (ByteArrayAccess, Eq, Monoid, Ord, Semigroup)
+
+instance The (OfLength l ba) ba
+
+
+-- | Check that the byte array has the given length.
+hasRightLength
+  :: forall ba n. (ByteArrayAccess ba, KnownNat n)
+  => ba
+  -> Maybe (OfLength n ba)
+hasRightLength ba
+  | fromIntegral (length ba) == natVal (Proxy :: Proxy n) = Just $ OfLength ba
+  | otherwise = Nothing
+
+-- | Allocate a new byte array of the given length, and perform the given operation.
+--
+-- This is the same as 'Data.ByteArray.allocRet'.
+allocRet
+  :: forall ba n p a. (ByteArray ba, KnownNat n)
+  => (Ptr p -> IO a)
+  -> IO (a, OfLength n ba)
+allocRet
+  = fmap (second OfLength)
+  . Data.ByteArray.allocRet (fromIntegral $ natVal (Proxy :: Proxy n))
+
+-- | Allocate a new byte array of the given length, and run the initialiser.
+--
+-- This is the same as 'Data.ByteArray.alloc'.
+alloc
+  :: forall ba n p. (ByteArray ba, KnownNat n)
+  => (Ptr p -> IO ())
+  -> IO (OfLength n ba)
+alloc
+  = fmap OfLength
+  . Data.ByteArray.alloc (fromIntegral $ natVal (Proxy :: Proxy n))
diff --git a/test/Test.hs b/test/Test.hs
new file mode 100644
--- /dev/null
+++ b/test/Test.hs
@@ -0,0 +1,10 @@
+-- SPDX-FileCopyrightText: 2020 Serokell
+--
+-- SPDX-License-Identifier: MPL-2.0
+
+{- SPDX-FileCopyrightText: 2020 Serokell <https://serokell.io/>
+ -
+ - SPDX-License-Identifier: MPL-2.0
+ -}
+
+{-# OPTIONS_GHC -F -pgmF tasty-discover -optF --tree-display #-}
diff --git a/test/Test/Crypto/Secretbox.hs b/test/Test/Crypto/Secretbox.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Crypto/Secretbox.hs
@@ -0,0 +1,113 @@
+-- SPDX-FileCopyrightText: 2020 Serokell
+--
+-- SPDX-License-Identifier: MPL-2.0
+
+{-# OPTIONS_GHC -Wno-incomplete-uni-patterns #-}
+
+module Test.Crypto.Secretbox where
+
+import Hedgehog (Property, forAll, property, tripping)
+import Test.HUnit ((@?=), Assertion)
+
+import Data.ByteString (ByteString)
+
+import qualified Data.ByteString as BS
+import qualified Libsodium as Na
+
+import qualified Hedgehog.Gen as G
+import qualified Hedgehog.Range as R
+
+import qualified Crypto.Secretbox as Secretbox
+
+
+keySize :: R.Range Int
+keySize = R.singleton $ fromIntegral Na.crypto_secretbox_keybytes
+
+nonceSize :: R.Range Int
+nonceSize = R.singleton $ fromIntegral Na.crypto_secretbox_noncebytes
+
+
+hprop_encode_decode :: Property
+hprop_encode_decode = property $ do
+    keyBytes <- forAll $ G.bytes keySize
+    let Just key = Secretbox.toKey keyBytes
+    nonceBytes <- forAll $ G.bytes nonceSize
+    let Just nonce = Secretbox.toNonce nonceBytes
+    msg <- forAll $ G.bytes (R.linear 0 1_000)
+    tripping msg (encodeBs key nonce) (decodeBs key nonce)
+  where
+    -- We need to specify the type of the cyphertext as it is polymorphic
+    encodeBs key nonce msg = Secretbox.create key nonce msg :: ByteString
+    decodeBs key nonce ct = Secretbox.open key nonce ct :: Maybe ByteString
+
+
+-- Test vector from
+-- https://github.com/jedisct1/libsodium/blob/f911b56650b680ecfc5d32b11b090849fc2b5f92/test/default/secretbox.c
+
+exampleKey :: ByteString
+exampleKey = BS.pack $
+  [ 0x1b, 0x27, 0x55, 0x64, 0x73, 0xe9, 0x85
+  , 0xd4, 0x62, 0xcd, 0x51, 0x19, 0x7a, 0x9a
+  , 0x46, 0xc7, 0x60, 0x09, 0x54, 0x9e, 0xac
+  , 0x64, 0x74, 0xf2, 0x06, 0xc4, 0xee, 0x08
+  , 0x44, 0xf6, 0x83, 0x89
+  ]
+
+exampleNonce :: ByteString
+exampleNonce = BS.pack $
+  [ 0x69, 0x69, 0x6e, 0xe9, 0x55, 0xb6
+  , 0x2b, 0x73, 0xcd, 0x62, 0xbd, 0xa8
+  , 0x75, 0xfc, 0x73, 0xd6, 0x82, 0x19
+  , 0xe0, 0x03, 0x6b, 0x7a, 0x0b, 0x37
+  ]
+
+exampleMsg :: ByteString
+exampleMsg = BS.pack $
+  [                                                 0xbe, 0x07, 0x5f, 0xc5
+  , 0x3c, 0x81, 0xf2, 0xd5, 0xcf, 0x14, 0x13, 0x16, 0xeb, 0xeb, 0x0c, 0x7b
+  , 0x52, 0x28, 0xc5, 0x2a, 0x4c, 0x62, 0xcb, 0xd4, 0x4b, 0x66, 0x84, 0x9b
+  , 0x64, 0x24, 0x4f, 0xfc, 0xe5, 0xec, 0xba, 0xaf, 0x33, 0xbd, 0x75, 0x1a
+  , 0x1a, 0xc7, 0x28, 0xd4, 0x5e, 0x6c, 0x61, 0x29, 0x6c, 0xdc, 0x3c, 0x01
+  , 0x23, 0x35, 0x61, 0xf4, 0x1d, 0xb6, 0x6c, 0xce, 0x31, 0x4a, 0xdb, 0x31
+  , 0x0e, 0x3b, 0xe8, 0x25, 0x0c, 0x46, 0xf0, 0x6d, 0xce, 0xea, 0x3a, 0x7f
+  , 0xa1, 0x34, 0x80, 0x57, 0xe2, 0xf6, 0x55, 0x6a, 0xd6, 0xb1, 0x31, 0x8a
+  , 0x02, 0x4a, 0x83, 0x8f, 0x21, 0xaf, 0x1f, 0xde, 0x04, 0x89, 0x77, 0xeb
+  , 0x48, 0xf5, 0x9f, 0xfd, 0x49, 0x24, 0xca, 0x1c, 0x60, 0x90, 0x2e, 0x52
+  , 0xf0, 0xa0, 0x89, 0xbc, 0x76, 0x89, 0x70, 0x40, 0xe0, 0x82, 0xf9, 0x37
+  , 0x76, 0x38, 0x48, 0x64, 0x5e, 0x07, 0x05
+  ]
+
+exampleCt :: ByteString
+exampleCt = BS.pack $
+  [ 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5
+  , 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9
+  , 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73
+  , 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce
+  , 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4
+  , 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a
+  , 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b
+  , 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72
+  , 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2
+  , 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38
+  , 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a
+  , 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae
+  , 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea
+  , 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda
+  , 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde
+  , 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3
+  , 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6
+  , 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74
+  , 0xe3, 0x55, 0xa5
+  ]
+
+unit_example_create :: Assertion
+unit_example_create = do
+  let Just key = Secretbox.toKey exampleKey
+  let Just nonce = Secretbox.toNonce exampleNonce
+  Secretbox.create key nonce exampleMsg @?= exampleCt
+
+unit_example_open :: Assertion
+unit_example_open = do
+  let Just key = Secretbox.toKey exampleKey
+  let Just nonce = Secretbox.toNonce exampleNonce
+  Secretbox.open key nonce exampleCt @?= Just exampleMsg
