Documentation

Everything you need to set up and use SealedKeys.

Quick start

Create your account

  1. 1Go to sealedkeys.com and click Start free.
  2. 2Enter your email and choose a master password (minimum 12 characters).
  3. 3Store your master password somewhere safe — it cannot be recovered. SealedKeys never stores it.
  4. 4You are now signed in. Your vault is empty and ready.
Your master password is the only way to decrypt your vault. If you lose it, your secrets are permanently inaccessible. Write it down and store it securely offline.

Add your first secret

  1. 1Navigate to My Vault in the sidebar.
  2. 2Click Add secret.
  3. 3Choose a secret type (Login, API Key, SSH Key, Recovery Codes, or Note).
  4. 4Fill in the fields. Secrets are encrypted in your browser before being sent — the server never sees plaintext.
  5. 5Click Save.

Enable two-factor authentication

We strongly recommend enabling MFA immediately after creating your account. Go to Settings → Security → Two-factor authentication and follow the setup flow. You will need an authenticator app (Authy, Google Authenticator, 1Password, etc.).

Secret types

SealedKeys supports five secret types. All are encrypted identically (AES-256-GCM) — the type only affects which fields are shown.

LoginLOGIN

Username, password, URL and TOTP seed for website accounts. The password generator is built in.

API KeyAPI KEY

API keys, tokens and bearer credentials. Supports a notes field for documenting scope and expiry.

SSH KeySSH KEY

Private key, public key and optional passphrase. Private key content is stored encrypted.

Recovery CodesRECOVERY

2FA backup codes, one per line. Safe place for the codes your authenticator app generates during MFA setup.

Secure NoteNOTE

Free-form encrypted text. Useful for credentials that don't fit a structured type, internal tokens, or config snippets.

Importing secrets

SealedKeys can import from Bitwarden, 1Password, and any generic CSV. Go to Settings → Vault → Import and drop your export file. The format is detected automatically.

All items are encrypted in your browser before upload. The server never sees your imported secrets in plaintext.

From Bitwarden

  1. 1In Bitwarden: go to Tools → Export vault.
  2. 2Choose format: Account backup (unencrypted) — JSON format.
  3. 3Do not use the encrypted export; SealedKeys cannot decrypt it.
  4. 4Drop the .json file into the SealedKeys import panel.

Logins and secure notes are imported. Cards and identities are skipped (not supported).

From 1Password

  1. 1In 1Password: open the vault you want to export.
  2. 2Go to File → Export → All Items.
  3. 3Choose CSV format.
  4. 4Drop the .csv file into the SealedKeys import panel.

From a generic CSV

Any CSV with at least a name/title column and a password or notes column will work. SealedKeys recognises common column names: title, name, username, password, url, notes, tags.

Export & backup

Go to Settings → Vault → Export. Two formats are available.

Plaintext JSON

All secrets in human-readable form. Use this to migrate to another password manager. Requires a confirmation checkbox. Delete the file immediately after use.

Encrypted backup

Raw ciphertext blobs — identical to what is stored on the server. Safe to keep as a backup anywhere. Can only be decrypted by the SealedKeys offline viewer using your master password.

Offline viewer

Download sealedkeys-offline-viewer.html — a single self-contained file that runs entirely in your browser with no internet connection required. Open an encrypted backup, enter your master password, and read your secrets. Press Escape to wipe all data from memory.

The offline viewer uses identical cryptographic parameters to the main app: PBKDF2-SHA256 (600,000 iterations) + AES-256-GCM. It only accepts the encrypted backup format.

Security model

Zero-knowledge architecture

SealedKeys is designed so that the server never has access to your plaintext secrets. Every encryption and decryption operation happens in your browser using the Web Crypto API.

Key derivation

When you log in, your vault key is derived from your master password using PBKDF2-SHA256 with 600,000 iterations. The salt is your email address concatenated with a fixed suffix (sealedkeys_v1). The derived key never leaves your browser.

Encryption

Each vault item's secrets are serialised to JSON and encrypted with AES-256-GCM. A random 12-byte IV is generated per item per save. The wire format is: base64url(iv[12 bytes] + ciphertext).

What the server stores

The server stores: your email address, a bcrypt hash of your master password (for login authentication only), and AES-256-GCM ciphertext for each vault item. Item names, URLs and tags are stored unencrypted to allow server-side search in future — they are treated as metadata, not secrets.

If you need to keep item names or URLs confidential, use generic names and store the real name in the encrypted notes field.

Infrastructure

All data is stored on infrastructure in the EU. Data is never transferred outside the EU. All traffic is encrypted with TLS 1.3. The server has no mechanism to decrypt vault items — the encryption key only exists in your browser session.

Two-factor authentication

Setting up MFA

  1. 1Go to Settings → Security → Two-factor authentication.
  2. 2Click Set up MFA.
  3. 3Scan the QR code with your authenticator app (Authy, Google Authenticator, 1Password, Bitwarden, etc.).
  4. 4Enter the 6-digit code from your app to confirm.
  5. 5MFA is now enabled. Future logins require your password and a TOTP code.

Disabling MFA

Go to Settings → Security → Two-factor authentication and click Disable MFA. You must enter a valid TOTP code to confirm. If you have lost access to your authenticator app, contact hello@sealedkeys.com.

Teams & access

Roles

RoleCan readCan writeCan manage members
Owner
Admin✓ (cannot remove Owner)
Member
Read-only

Inviting teammates

  1. 1Go to Team Vault in the sidebar.
  2. 2Click Invite member.
  3. 3Enter their email address and choose a role.
  4. 4They will receive an invitation email with a sign-up link.

Contractor access

Invite contractors with the Read-only role so they can access shared credentials without being able to modify or delete them. When the engagement ends, remove them from the team. Rotate any secrets they had access to.

Settings

Auto-lock

Set an inactivity timeout in Settings → Vault → Auto-lock. Options: 5, 15, 30, 60 minutes, or never. The vault locks automatically after the chosen period of inactivity and requires your master password to unlock again.

Changing your master password

Go to Settings → Security → Master password. Enter your current password and choose a new one (minimum 12 characters). SealedKeys will re-encrypt every vault item with the new key in your browser before sending anything to the server. The server atomically updates your authentication hash and all ciphertexts in a single transaction — nothing is left in an inconsistent state.

After changing your master password, any existing sessions on other devices will continue to work until they re-authenticate. Lock all other sessions manually if you suspect compromise.

Security health

The Security tab in the sidebar shows your vault health score, highlights weak or reused passwords, and lets you check all login passwords against the HaveIBeenPwned breach database using k-anonymity (only the first 5 characters of the SHA-1 hash are sent — your passwords are never transmitted).

Audit log

Every create, update, delete, view and copy event is logged and visible in the Audit Log tab. Use this to spot unexpected access or changes to sensitive secrets.

Questions not covered here?

Contact support →

Use cases

Team password managerAPI key managementSSH key managementShared password vaultContractor accessDevOps teams