Nation-states are harvesting encrypted vault data now, planning to crack it when quantum computers arrive. SealedKeys is the first password manager to implement NIST FIPS 203 post-quantum encryption — so stolen ciphertext stays unreadable, even then.
In short
SealedKeys uses ML-KEM-768 hybrid encryption: your vault is protected by both AES-256-GCM and ML-KEM-768 (NIST FIPS 203). An attacker must break both simultaneously. Neither LastPass nor Bitwarden has implemented post-quantum vault encryption.
You don't need a quantum computer to be at risk from one. The attack works in two phases: collect encrypted data today (cheap), crack it later (when quantum hardware arrives). The LastPass 2022 breach is a textbook example — attackers walked away with encrypted vaults and have been attempting offline decryption ever since. If those vaults weren't quantum-resistant, the clock is ticking.
NIST begins post-quantum standardisation process. 69 algorithms submitted.
LastPass breach: encrypted vaults exfiltrated. Stored by attackers for future decryption.
NIST finalises ML-KEM as FIPS 203. First post-quantum standard for key encapsulation.
SealedKeys ships ML-KEM-768 hybrid encryption. First password manager to implement FIPS 203.
Cryptographically relevant quantum computers expected. Vaults encrypted without PQC become vulnerable.
ML-KEM (Module Lattice-based Key Encapsulation Mechanism) is based on the hardness of module lattice problems — a class of mathematics that quantum computers cannot solve efficiently. Combined with AES-256-GCM in a hybrid scheme, your vault has two independent lines of defence. Breaking one leaves the other intact.
PBKDF2-SHA256 with 600,000 iterations derives a 256-bit AES key from your master password, never leaving your device. This is the same algorithm used today.
A second derivation path produces a deterministic ML-KEM-768 keypair — public and private keys — from your master password. The private key never touches the server.
When encrypting each vault item, ML-KEM encapsulation generates a fresh random 256-bit shared secret and a 1,088-byte ciphertext stored alongside the item.
The final encryption key is derived from both the classical AES key and the ML-KEM shared secret via HKDF-SHA256. An attacker must break both to decrypt an item.
Wire format — v3 encrypted item
base64url-encoded. Unambiguous version prefix — not a valid base64url sequence.
Classical security
256-bit AES-GCM
Grover's algorithm halves effective key length to 128-bit quantum security. Still secure.
Post-quantum security
ML-KEM-768
NIST Level 3. Equivalent to 192-bit classical / quantum-resistant against Shor's algorithm.
Key derivation
PBKDF2-SHA256
600,000 iterations for vault key. Separate 100,000-iteration path for ML-KEM seed. Client-side only.
| Feature | SealedKeys | LastPass | Bitwarden |
|---|---|---|---|
| Post-quantum vault encryption | |||
| NIST FIPS 203 (ML-KEM) | |||
| AES-256-GCM symmetric encryption | |||
| Client-side zero-knowledge KDF | |||
| Open-source crypto implementation | |||
| Independent pentest (2026) |
Correct as of June 2026. Verify directly with each vendor.
The full encryption implementation — including the ML-KEM-768 hybrid scheme — is published on GitHub. Any developer can audit exactly how vault keys are derived, how items are encrypted, and verify that the server never receives anything other than ciphertext. Marketing claims about encryption should be verifiable. Ours are.
No. New vault items are automatically encrypted with the v3 hybrid format. Existing items are upgraded to v3 the next time you edit them, or all at once when you change your master password.
ML-KEM-768 is standardised by NIST as FIPS 203 following a 7-year public evaluation process. It is based on the hardness of module lattice problems (MLWE/MLKEM), which no known classical or quantum algorithm can solve efficiently at the 768 parameter level. No algorithm is ever 'proven' secure in the absolute mathematical sense, but ML-KEM-768 is the current NIST recommendation for post-quantum key encapsulation.
The hybrid scheme means AES-256-GCM remains as a second independent layer. If ML-KEM-768 were broken but AES-256-GCM was not, your vault would still be protected. You would need both components broken simultaneously — which is far harder than either alone.
ML-KEM key generation and encapsulation are fast lattice operations — typically under 1ms in a modern browser. The additional derivation step on login is imperceptible. Vault item encryption and decryption are unchanged in speed.
Free to start — 25 vault items, no credit card. Import your LastPass or Bitwarden export in minutes.
Also read: Full security architecture · Why SealedKeys over LastPass or Bitwarden