Built by engineers who got tired of storing SSH keys in ~/.ssh, API tokens in .env files and TOTP seeds in a note. SealedKeys has dedicated types for all of them — with open-source, auditable encryption.
Store RSA, Ed25519 and ECDSA private keys in a dedicated field type — not a notes workaround. Share with your team without emailing the file around.
Named fields for API keys with service name, environment (prod/staging/dev) and notes. Copy with one click; every copy is logged.
Store the TOTP seed (not just the OTP) — useful for dev accounts, CI/CD pipelines and shared service accounts where you need the seed itself.
Connection strings, database passwords and read-only replica credentials — organised per environment, shared only with the engineers who need them.
Store 2FA backup codes for service accounts, cloud consoles and deployment tools — encrypted and accessible when you actually need them.
Architecture notes, environment configuration details, deployment secrets — anything that shouldn't live in a public Notion page or repo wiki.
No hand-waving. Here's exactly what the cryptography looks like.
PBKDF2-SHA256 · 600,000 iterations · Web Crypto APIAES-256-GCM · Fresh random IV per item · Authenticated encryptionbase64url(IV[12] || ciphertext) — stored in MySQL MediumTextemail + 'sealedkeys_v1' — no separate salt to storegithub.com/sealedkeys/crypto — read the implementationThe encryption layer is on GitHub. Every function, every primitive — readable.
Open DevTools → Network. Unlock your vault. You'll see encrypted blobs, never plaintext.
Export your vault. Open the offline HTML file with wifi off. Your data decrypts locally — no server involved.
Yes. The full encryption layer is published at github.com/sealedkeys/crypto. Key derivation, AES-256-GCM encryption and decryption, and the wire format are all readable and auditable. The application code (server, API, UI) is not currently open source.
PBKDF2-SHA256 with 600,000 iterations for key derivation, using your email address concatenated with 'sealedkeys_v1' as the salt. AES-256-GCM for encryption with a fresh random 12-byte IV per item. All operations run in the browser via the Web Crypto API — no third-party crypto libraries.
Yes. SealedKeys stores the TOTP seed itself as a secret — useful for shared service accounts, CI/CD pipelines where you need to generate OTPs programmatically, or anywhere you need access to the seed rather than just the current code.
SealedKeys is a team vault, not a CI/CD secrets injection platform. It's well-suited for storing and sharing the credentials that get configured into your CI/CD platform — API keys, deployment tokens, cloud access keys — rather than injecting them directly into pipelines. That said, you can copy from the vault into your CI/CD tool's secrets store.
The offline viewer is a single self-contained HTML file with no external dependencies. It implements the same PBKDF2 + AES-256-GCM decryption in vanilla JavaScript using the Web Crypto API. Load it from disk, paste your encrypted export, enter your master password — decryption happens entirely locally. The file is published at sealedkeys.com/sealedkeys-offline-viewer.html.
Yes. SealedKeys imports Bitwarden JSON, 1Password CSV and generic CSV formats. The importer auto-detects the format and maps secret types. SSH keys and API tokens stored as secure notes in other tools can be re-entered as their proper typed fields after import.
25 items free. Open-source encryption. No credit card.