Zero-knowledge architecture

The secure vault your
team actually trusts

Passwords, API keys, SSH keys, recovery codes and contractor secrets — all encrypted client-side before they leave your browser. The server sees only ciphertext.

Start for free How the security works
sealedkeys — team vault
live
vault unlocked · AES-256-GCM encryption active
7 secrets · 0 plaintext exposed
TypeSecret NameValueStatus
API Key
STRIPE_SECRET_KEY
aes256·ivGk9q3mP2==·cT3mXr2kLp7NdK
SEALED
SSH Key
PROD_SERVER_KEY
aes256·mP2xW9kRtQ==·Qr7LpvN4jK8nFbW
SEALED
API Key
AWS_ACCESS_KEY_ID
aes256·hK8nF2wXsM==·wXsMq5RcT9mXrK2
SEALED
Password
DB_PRODUCTION
aes256·Zp6tRkSy1v==·sY1vBm8nWj4LqR9
SEALED
API Key
GITHUB_TOKEN
aes256·Xn5kQrdJ2m==·dJ2mHp9vBt6WcN4
SEALED
Login
AWS_CONSOLE
aes256·Rm7vKjNp4s==·nWj4LqR9xZcT3mX
SEALED
Recovery
2FA_BACKUP_CODES
aes256·Lm3pKjqN8r==·qN8rTx5vWy2ZpK6
SEALED
PBKDF2-SHA256 · 600,000 iterations·key derived client-side · server stores ciphertext only
sealedkeys.com
Encryption
AES-256-GCM
Key derivation
PBKDF2 · 600k itr
AES-256-GCM encryption on every secret
PBKDF2-SHA256 key derivation (600k iterations)
Server stores zero plaintext — ever
Open architecture, auditable encryption flow
Granular role-based access (Owner / Admin / Member / Read-only)
Full audit log of every access and change

Everything your team needs to store securely

One vault for every type of credential. No more Google Docs, Slack DMs or unencrypted spreadsheets.

Website logins

Username, password and TOTP seeds — all encrypted.

API keys & tokens

Store and organise every API key with notes and tags.

SSH keys

Private keys stored encrypted, never visible to the server.

Recovery codes

2FA backup codes safe and accessible when you need them.

Secure notes

Encrypted free-text notes for anything sensitive.

Team vaults

Share secrets with teammates and contractors securely.

Built for teams from day one

Invite contractors with read-only access. Give admins the ability to manage secrets. Off-board members and trigger rotation checklists when someone leaves.

  • Owner, Admin, Member & Read-only roles
  • Per-org audit trail
  • One-click contractor offboarding (roadmap)
  • Rotation reminders for critical secrets (roadmap)
Create team vault

Know exactly who touched what

Every create, update, delete, view and copy event is logged. Security health checks surface stale secrets, missing MFA and suspicious access patterns.

Start monitoring
Recent events
CreatedAWS production keys2m ago
CopiedGitHub deploy token15m ago
UpdatedStaging DB password1h ago
DeletedOld Heroku API key3h ago

Frequently asked questions

What does zero-knowledge mean?

It means SealedKeys never has access to your plaintext secrets. Your vault key is derived entirely in your browser from your master password using PBKDF2. Every secret is encrypted with AES-256-GCM before it leaves your device. Our servers store only encrypted ciphertext — even if our database were breached, attackers would find nothing readable.

How is SealedKeys different from LastPass or Bitwarden?

LastPass and Bitwarden are well-known password managers with broad personal and business use cases. SealedKeys takes a more focused approach: it is built for small technical teams that need to manage passwords, API keys, SSH keys, deployment tokens and contractor access in one place.

SealedKeys includes organisation-level vaults, granular roles, contractor offboarding and audit visibility from the start, with simple pricing from £1.99/user/month.

Can I use SealedKeys for API keys and SSH keys, not just passwords?

Yes. SealedKeys supports five secret types: website logins, API keys & tokens, SSH private keys, recovery codes, and secure notes. All are encrypted identically using AES-256-GCM.

What happens if I forget my master password?

Because SealedKeys is truly zero-knowledge, we cannot recover your vault. Your master password is never transmitted to our servers in usable form. We strongly recommend writing it down and storing it in a secure physical location. Emergency recovery via a trusted contact is on our roadmap.

Is SealedKeys suitable for contractor and freelancer access?

Yes — this is a core use case. You can invite contractors with Read-only or Member roles, scoped to a specific organisation vault. When they leave, remove their access and use the offboarding checklist to rotate secrets they had access to.

Where is my data stored?

SealedKeys runs on Hetzner infrastructure in the EU. All data in transit is protected by TLS 1.3. At rest, your secrets are stored as AES-256-GCM ciphertext. We never transfer data outside the EU.

Start protecting your secrets today

Free to start. No credit card. Zero-knowledge from day one.

Create free vault