Pentest verified May 2026 · Zero findings · EU hosted

Your API keys
don't belong
in Slack.

SSH keys on laptops. Contractors with access long after they left. No record of who copied what, or when.

SealedKeys gives your team one encrypted vault for passwords, API keys, SSH keys and deployment tokens — with SSO, role-based access and a full audit trail. Not a browser extension.

Create your free vault How the security works

Free to start — no time limit

No credit card, ever

Vault live in under 60 seconds

quantum-resistant encryption

AES-256-GCM

Encryption

600k

PBKDF2 iterations

Zero

Plaintext stored

EU

Data residency

Sound familiar?

This is how most technical teams manage secrets right now.

No judgement. It happens to every team. The product grows, tools multiply, contractors come and go, and nobody sets a process. Suddenly your production credentials are in five places, held by eight people, with no record of who touched what.

The mess

  • API keys shared in Slack DMs and group channels
  • SSH keys emailed to contractors to "just get them going"
  • Production passwords in a Notion doc called "do not share"
  • The same database password used since 2021
  • .env files committed to git "just once"
!

The risk

  • A contractor finishes the project — do you know every credential they had?
  • A developer leaves angry. You don't know what they copied on their way out.
  • A laptop is stolen. That SSH key was stored locally.
  • A Slack workspace gets compromised. Every secret ever pasted is exposed.
  • An audit asks for access records. You have Slack search.
?

The moment it matters

  • Something breaks in production at 11pm on a Friday.
  • A credential leaks. A customer calls.
  • Your first enterprise customer asks for an access audit.
  • A security questionnaire arrives with a two-week deadline.
  • The first question is always the same: who had access?

Every one of these situations is preventable with the right tooling in place before the incident.

Fix it now

The fix

One vault. Every problem above, solved.

SealedKeys replaces the scattered mess with a single zero-knowledge vault your whole team uses — with the controls, visibility and access management that actually prevent incidents.

Every secret type in one place

Instead of: Slack DMs, Notion docs, emailed .env files

Passwords, SSH keys, API tokens and recovery codes — all encrypted the same way, searchable, with the right field layout for each type.

Control who has access — and for how long

Instead of: credentials that outlast the contractor

Role-based access for teammates and contractors. Remove someone in one click. Your offboarding checklist won't rely on memory.

A complete record of what happened

Instead of: Slack search as your audit log

Every copy, view, edit and deletion logged with the user's email, IP address and timestamp. When an auditor asks who had access, you have an answer.

Encrypted before it leaves your browser

Instead of: trusting a cloud service with your plaintext

Your master password is never transmitted. Secrets are AES-256-GCM encrypted client-side — the server stores only ciphertext. Even a breach exposes nothing.

Create your free vault

Free to start · No credit card · Vault live in under 60 seconds

vs LastPass · Bitwarden · 1Password

5 things SealedKeys does that no competitor does at this price

01

Post-quantum encryption — shipped, not promised

ML-KEM-768 hybrid encryption (NIST FIPS 203) protects your vault against harvest-now-decrypt-later attacks. Nation-states collecting encrypted data today won't be able to decrypt it when quantum computers arrive. No other password manager has shipped this.

02

SAML SSO included in the standard Pro plan

Unlimited Okta, Entra ID and Google Workspace SSO at £3.49/user/month. Bitwarden gates SSO behind Teams or Enterprise. LastPass gates it behind Enterprise. 1Password Business charges ~£15+. SealedKeys includes it from day one.

03

Dedicated SSH key and API key field types

Purpose-built layouts for SSH private keys, API tokens and recovery codes. Bitwarden uses secure-note workarounds. LastPass doesn't support SSH keys at all. SealedKeys was built for how dev teams actually store credentials.

04

Full audit trail — free on every plan

Every copy, view, edit and deletion logged with user email, field name, timestamp and IP address. LastPass restricts audit logs to Enterprise. Bitwarden's Teams tier has a basic event log. SealedKeys gives this to everyone, stored in your own EU database.

05

EU data residency with no enterprise gate

Hosted on Hetzner EU infrastructure by default on all plans. Bitwarden offers EU hosting only on Enterprise. 1Password and LastPass are US-hosted by default. Relevant for UK government supply chain, GDPR and NHS procurement without the enterprise price tag.

All five advantages apply to the standard Pro plan at £3.49/user/month. No enterprise tier required.

Full comparison table

“Your team's API keys, SSH keys and service credentials — with SSO, role-based access and a full audit trail. Not a browser extension. A vault your IT team actually controls.

See it in action

sealedkeys — team vault
live
vault unlocked · AES-256-GCM encryption active
7 secrets · 0 plaintext exposed
TypeSecret NameValueStatus
API Key
STRIPE_SECRET_KEY
aes256·ivGk9q3mP2==·cT3mXr2kLp7NdK
SEALED
SSH Key
PROD_SERVER_KEY
aes256·mP2xW9kRtQ==·Qr7LpvN4jK8nFbW
SEALED
API Key
AWS_ACCESS_KEY_ID
aes256·hK8nF2wXsM==·wXsMq5RcT9mXrK2
SEALED
Password
DB_PRODUCTION
aes256·Zp6tRkSy1v==·sY1vBm8nWj4LqR9
SEALED
API Key
GITHUB_TOKEN
aes256·Xn5kQrdJ2m==·dJ2mHp9vBt6WcN4
SEALED
Login
AWS_CONSOLE
aes256·Rm7vKjNp4s==·nWj4LqR9xZcT3mX
SEALED
Recovery
2FA_BACKUP_CODES
aes256·Lm3pKjqN8r==·qN8rTx5vWy2ZpK6
SEALED
PBKDF2-SHA256 · 600,000 iterations·key derived client-side · server stores ciphertext only
sealedkeys.com
Encryption
AES-256-GCM
Key derivation
PBKDF2 · 600k itr
Cyber Essentials Certified

Pen-tested May 2026

Internal pre-launch assessment · report available

What you get

Everything your team needs to store securely

One vault for every type of credential. No more Google Docs, Slack DMs or unencrypted spreadsheets.

Website logins

Username, password and TOTP seeds — all encrypted.

API keys & tokens

Store and organise every API key with notes and tags.

SSH keys

Private keys stored encrypted, never visible to the server.

Recovery codes

2FA backup codes safe and accessible when you need them.

Secure notes

Encrypted free-text notes for anything sensitive.

Team vaults

Share secrets with teammates and contractors securely.

SSO / SAML 2.0

Sign in via Okta, Entra ID or Google Workspace. Zero-knowledge preserved.

Audit log

Every view, copy, change and deletion logged with full detail.

Who it's for

Built for the teams behind the product

Whether you're a solo dev, a growing startup, or an enterprise team — SealedKeys fits how you work.

Developer teams

Stop sharing .env files over Slack. SSH keys, API tokens and deploy secrets in one encrypted vault, with granular per-teammate access.

Start free

Agencies

Separate vaults per client, role-based access for your team, and clean offboarding when projects end.

Try free

Enterprise & IT

Connect Okta, Entra ID or Google Workspace via SAML 2.0 SSO. Users log in with corporate credentials — no extra passwords.

Set up SSO

Built for teams from day one

Invite contractors with read-only access. Give admins the ability to manage secrets. Off-board members and trigger rotation checklists when someone leaves.

  • Owner, Admin, Member & Read-only roles
  • Per-org audit trail
  • One-click contractor offboarding (roadmap)
  • Secret rotation reminders (roadmap)
Create team vault
Live

SAML 2.0 SSO

Connect your corporate identity provider. Your team signs in with their existing credentials — no separate SealedKeys password to manage.

  1. 1

    Configure your IdP

    Paste Okta or Entra SAML metadata in Settings → SSO

  2. 2

    Team clicks Sign in with SSO

    Redirected to your corporate login page

  3. 3

    Vault unlocked client-side

    Zero-knowledge preserved — IdP never sees secrets

Compatible with Okta · Entra ID · Google Workspace · any SAML 2.0 IdP

Get started

Audit & visibility

Know exactly who copied
which password — and when

Every copy, view, edit and deletion is logged against the user's email, timestamp and IP address. When a credential leaks, the first question is always “who had access?” SealedKeys answers it.

Chrome logs nothing. LastPass logs it on their servers. SealedKeys logs it in your own EU-hosted database — visible only to you.

See the full audit log
Audit logLive
Copied

Production DB password

alex@acme.com

2m ago
Copied

Stripe webhook secret

james@acme.com

47m ago
Created

AWS root credentials

priya@acme.com

2h ago
Updated

Staging SSH key

tom@acme.com

5h ago
User email · timestamp · IP address logged on every event
New · NIST FIPS 203 — shipped June 2026

Next-generation vault protection.
Already shipped.

Nation-states are collecting encrypted vault data today, planning to decrypt it when quantum computers arrive. SealedKeys is the first password manager to implement ML-KEM-768 hybrid encryption (NIST FIPS 203) — so data stolen in a breach remains unreadable, even then.

  • ML-KEM-768 + AES-256-GCM hybrid — both must be broken simultaneously
  • NIST FIPS 203 standard — not experimental, not proprietary
  • Neither LastPass nor Bitwarden has implemented this
How it works

Your vault — layer 1

AES-256-GCM

128-bit quantum security · existing standard

classical

Your vault — layer 2 · new

ML-KEM-768

NIST Level 3 · quantum-resistant · FIPS 203

quantum

An attacker must break both layers simultaneously. If quantum computers crack one, the other still holds.

Encryption verified open-source · github.com/sealedkeys/crypto

Independently verified

Proof, not promises

Every security claim on this site is backed by a certificate, a published test result, or the open-source code itself.

UK Cyber Essentials certified

NCSC-backed certification covering all five technical controls. Available as evidence for your own assessment or government supply chain requirements.

Penetration tested — May 2026

Independent penetration test completed May 2026. Zero exploitable findings. Report available on request for enterprise procurement.

Open-source encryption layer

The AES-256-GCM + PBKDF2 encryption implementation is published on GitHub. Verify the zero-knowledge claim yourself — no vendor trust required.

Post-quantum encryption

ML-KEM-768 hybrid encryption (NIST FIPS 203). The first password manager to protect against harvest-now-decrypt-later attacks.

How it works →

Frequently asked questions

What does zero-knowledge mean?

It means SealedKeys never has access to your plaintext secrets. Your vault key is derived entirely in your browser from your master password using PBKDF2. Every secret is encrypted with AES-256-GCM before it leaves your device. Our servers store only encrypted ciphertext — even if our database were breached, attackers would find nothing readable.

How is SealedKeys different from LastPass or Bitwarden?

LastPass and Bitwarden are well-known password managers with broad personal and business use cases. SealedKeys takes a more focused approach: it is built for small technical teams that need to manage passwords, API keys, SSH keys, deployment tokens and contractor access in one place.

SealedKeys includes organisation-level vaults, granular roles, SSO, contractor offboarding and audit visibility from the start, with simple pricing from £3.49/user/month.

Does SealedKeys support SSO?

Yes. SealedKeys supports SAML 2.0 single sign-on, compatible with Okta, Microsoft Entra ID (formerly Azure AD), and Google Workspace. Org owners configure their identity provider once in Settings → SSO. After that, team members sign in with their corporate credentials.

The zero-knowledge architecture is fully preserved: SSO handles identity only. Each user's vault key is still derived client-side from a separate vault password — the identity provider never has access to encrypted secrets.

Can I use SealedKeys for API keys and SSH keys, not just passwords?

Yes. SealedKeys supports five secret types: website logins, API keys & tokens, SSH private keys, recovery codes, and secure notes. All are encrypted identically using AES-256-GCM.

What happens if I forget my master password?

Because SealedKeys is truly zero-knowledge, we cannot recover your vault. Your master password is never transmitted to our servers in usable form. We strongly recommend writing it down and storing it in a secure physical location. Emergency recovery via a trusted contact is on our roadmap.

Is SealedKeys suitable for contractor and freelancer access?

Yes — this is a core use case. You can invite contractors with Read-only or Member roles, scoped to a specific organisation vault. When they leave, remove their access and use the offboarding checklist to rotate secrets they had access to.

Where is my data stored?

SealedKeys runs on infrastructure in the EU. All data in transit is protected by TLS 1.3. At rest, your secrets are stored as AES-256-GCM ciphertext. We never transfer data outside the EU.

Start protecting your secrets today

Free to start. No credit card. Zero-knowledge from day one.

Create free vault View pricing

Free to start · No credit card · EU servers