Keeper is a well-established password manager with enterprise features. SealedKeys is a simpler, cheaper alternative built for technical teams. You get open-source encryption, SSO on every Pro plan, and dedicated SSH and API key types — no enterprise tier required.
In short
SealedKeys is a zero-knowledge alternative to Keeper for technical teams. It has dedicated SSH and API key types, SAML SSO in the standard Pro plan, and EU-only data residency. It is UK Cyber Essentials certified and costs £3.49 per user per month.
Three common pain points — based on what switching teams tell us.
Keeper Business starts at around £4.50 per user per month. Need SSO? That is an add-on — it costs extra on top of the base price. For a team of 20, that gap adds up. SealedKeys Pro is £3.49 per user per month and includes SAML SSO with Okta, Entra ID and Google Workspace at no extra charge.
Keeper lets you store SSH keys using custom record types, but there is no purpose-built SSH key field. You have to improvise. SealedKeys was built for technical teams from day one. SSH private keys and API tokens each have their own field type, so your vault stays clean and easy to search.
Keeper is a US company and stores data in the US unless you pay for the enterprise tier and request EU hosting. SealedKeys stores all data in the EU — on Hetzner infrastructure in Germany — on every plan, with no extra steps required.
Common reasons technical teams evaluate switching — factual, not FUD.
Keeper's SAML SSO is locked behind the Enterprise plan. That means a sales call and higher per-user pricing. SealedKeys includes SAML 2.0 SSO with Okta, Entra ID and Google Workspace in the standard Pro plan at £3.49 per user per month. No upsell needed.
Keeper's encryption code is proprietary. You have to take their word for it. SealedKeys publishes its full encryption layer on GitHub. Any developer can read every line and check that the zero-knowledge design holds. No trust required.
Keeper supports custom record types, but SSH keys and API tokens have no purpose-built layout. SealedKeys was built for technical teams from the start. It has dedicated field types for SSH private keys and API credentials — so your vault stays organised.
SealedKeys holds UK Cyber Essentials certification. Keeper does not (as of May 2026). If you work in the UK government supply chain, Cyber Essentials is often a procurement requirement.
Honest comparison — including where Keeper has the advantage.
| Feature | SealedKeys | Keeper |
|---|---|---|
Zero-knowledge architecture Both claim zero-knowledge | ||
Open-source encryption layer | github.com/sealedkeys/crypto | — Closed source |
SAML 2.0 SSO included in standard plan | Included in Pro at £3.49/user/month | — Enterprise tier required |
SSH key storage (dedicated type) | — Via custom fields | |
API key storage (dedicated type) | — Via custom record types | |
EU data residency | All plans, Hetzner EU | Available on Business |
Cyber Essentials certified | — Not certified (as of May 2026) | |
Browser extension | — Roadmap | |
Mobile apps (iOS / Android) | — Web only currently | |
Audit log — who copied what | User email, IP & field name on every copy, view, edit or deletion | Business tier; proprietary logging on Keeper servers |
Offline access | Encrypted backup + offline viewer | |
Price (per user/month) | £3.49 | ~£4.50+ |
Prices and features correct as of May 2026. Verify directly with each vendor before making a decision.
Keeper has well-built browser extensions and highly-rated mobile apps with biometric unlock. SealedKeys is web-only for now.
Keeper offers enterprise PAM features including session recording and infrastructure access. SealedKeys focuses on team secret sharing.
Keeper supports offline vault access in its apps. SealedKeys has an offline viewer, but you need to export your vault first.
Keeper has been running since 2011 and has multiple independent security audits. SealedKeys is newer — pen-tested in May 2026 with zero findings, but a shorter history.
The whole process takes under 15 minutes for most teams.
In Keeper, go to Settings → Export. Choose CSV or JSON and download the file to your computer.
In SealedKeys, go to Settings → Import. Pick your Keeper CSV file. Login entries map across automatically.
Open a few entries and check the usernames, passwords and URLs look right. Spot-check any important credentials.
Go to Settings → Members and send invites. Each team member creates their own account and sets their own master password.
Once your team is set up and happy, cancel Keeper from your Keeper account settings. Keep your Keeper export file as a backup until you are fully switched over.
Yes. Export your Keeper vault as a CSV and import it into SealedKeys. The importer handles standard Keeper exports and maps login items across. Custom record types — like SSH keys stored via Keeper's custom fields — will need to be re-entered as typed fields in SealedKeys.
Both SealedKeys and Keeper claim zero-knowledge. SealedKeys derives the vault key in your browser using PBKDF2-SHA256 with 600,000 iterations. The full encryption code is published on GitHub — you can read and check every line. Keeper's encryption is proprietary and not publicly auditable.
SealedKeys is independently run with lean EU infrastructure and no enterprise sales team. Keeper's pricing reflects a broader feature set — PAM, mobile and desktop native apps, and a larger organisation. SealedKeys focuses on what technical teams need for secure secret sharing.
Not currently. SealedKeys is focused on team password and secret sharing, not privileged access management. If you need session recording, infrastructure brokering or just-in-time access, Keeper or a dedicated PAM tool is a better fit.
SealedKeys holds Cyber Essentials certification and is hosted on EU infrastructure only. Keeper is not Cyber Essentials certified as of May 2026. Check the specific requirements with your contracting authority.
Yes. SealedKeys supports Generic CSV import, and Keeper CSV exports map across cleanly. Go to Settings → Import, upload the file, and your logins will appear in a preview before anything is saved. Custom Keeper record types like SSH keys will need to be added manually as dedicated SSH key entries.
Yes. SealedKeys Pro is £3.49 per user per month, all features included. Keeper Business starts at around £4.50 per user per month — and if you need SSO, that costs extra as an add-on. For most teams, SealedKeys works out noticeably cheaper, especially once SSO is factored in.
Not yet. SealedKeys is web-only at the moment — you open the app in your browser to copy credentials. A browser extension is on the roadmap. If autofill is critical for your workflow, Keeper has the advantage here for now.
Free to start — no credit card needed. Import your Keeper CSV export in a few minutes.