DV cleared · Cyber Essentials certified · UK hosted

Password Manager
for Contractors

Working across multiple clients means managing credentials for each one — securely, separately, and in a way that holds up to client scrutiny. SealedKeys is built for exactly that.

In short

SealedKeys is a zero-knowledge password manager for working with contractors and freelancers, letting you share specific secrets with read-only or member roles and cleanly off-board access when projects end. Every action is logged, and secrets are encrypted client-side with AES-256-GCM.

The contractor credential problem

Contractors hold credentials for production systems across multiple clients simultaneously. A single password manager shared between client work creates real risk — if one client's environment is compromised, your entire credential store is a target.

At the same time, government and enterprise clients increasingly ask contractors to demonstrate how they handle secrets. “I use 1Password” isn't an answer when the client wants an audit trail and Cyber Essentials compliance.

SealedKeys gives you isolated vaults per client, a complete audit log, zero-knowledge encryption, and UK-hosted infrastructure — all in a tool you can point to when the question comes up.

Built for how contractors actually work

Every feature designed around the multi-client, compliance-conscious contractor.

Separate credentials per client

Keep each client's credentials in isolated vaults. No risk of cross-contamination — and instant revocation when a contract ends.

DV & SC clearance compatible

Zero-knowledge architecture means your secrets are encrypted before leaving your device. No third-party has access — compatible with sensitive government environments.

Audit trail for every access

Every time a secret is viewed, copied or changed, it's logged. Demonstrate compliance to clients with a complete access history.

SSO with client identity providers

Sign in via the client's Okta, Entra ID or Google Workspace. Zero-knowledge preserved — your vault key never touches the SSO provider.

Hand off secrets securely

End of contract? Export an encrypted backup the client can hold. Or revoke access and they retain nothing. Your choice.

Cyber Essentials certified

Required for many UK government contracts. SealedKeys is Cyber Essentials certified — use a tool that meets the standard you're being assessed against.

Meets UK government supply chain requirements

Cyber Essentials certified — meets NCSC baseline security standard
Zero-knowledge architecture — server cannot access your secrets even under compulsion
EU data residency — data never leaves the European Union
Full audit trail — every access logged with timestamp, user and IP
Open-source encryption — independently auditable by your client's security team
Encrypted export — your data is yours, portable and not locked in

Simple pricing for contractors

Solo or small team — the same zero-knowledge vault, no per-seat enterprise pricing.

Free

£0

25 items · 1 user

  • Zero-knowledge encryption
  • All secret types
  • Audit log
  • Offline viewer
Most popular

Pro

£3.49/mo

Unlimited items · per user

  • Everything in Free
  • Unlimited secrets
  • SAML 2.0 SSO
  • Team vaults
  • Priority support

Common questions from contractors

Can I manage credentials for multiple clients separately?

Yes. SealedKeys supports multiple organisations (vaults) per account. You can maintain separate, fully isolated vaults for each client — credentials in one vault are never visible from another. When a contract ends, simply remove access or delete the vault.

Does SealedKeys meet Cyber Essentials requirements?

SealedKeys is Cyber Essentials certified, meeting the UK government's NCSC baseline security standard. The zero-knowledge architecture, encrypted storage and audit trail align with Cyber Essentials controls around access control and malware protection.

Can I sign in using my client's identity provider?

Yes. SealedKeys supports SAML 2.0 single sign-on, compatible with Okta, Microsoft Entra ID and Google Workspace. If your client has provisioned you an SSO account, you can authenticate via their identity provider. The zero-knowledge architecture is fully preserved — your vault key is still derived client-side.

What happens to client data when a contract ends?

You have two options: export an encrypted backup that the client can hold independently, or delete the vault and all credentials are gone from SealedKeys immediately. Nothing persists on the server because the server stores only ciphertext — and without your master password, it is unreadable.

Is SealedKeys suitable for SC or DV-cleared environments?

SealedKeys' zero-knowledge architecture means no third party — including SealedKeys — can access your secrets. Combined with EU data residency, Cyber Essentials certification and an open-source encryption layer, it is compatible with sensitive government and defence environments. Confirm specific clearance requirements with your contracting authority.

What does SealedKeys cost for a solo contractor?

The Free plan covers 25 vault items at no cost — suitable for a small number of clients. Pro is £3.49/user/month and includes unlimited vault items, unlimited organisations, SAML SSO and priority support. No contracts, cancel any time.

Start managing client credentials properly

Free to start — no credit card. Takes 2 minutes to set up.