SealedKeys — Enterprise Security Brief

Why not LastPass or Bitwarden?

LastPass

LastPass suffered two major breaches (2022). Crucially, the architecture meant encrypted vault data was exfiltrated — meaning attackers had everything they needed to attempt offline decryption at their leisure. LastPass stores a password hash that enables server-side key derivation, which is the fundamental architectural weakness.

SealedKeys derives the vault key client-side, in your browser, before any data touches the server. A breach of SealedKeys servers exposes only AES-256-GCM ciphertext — worthless without the key, which never leaves your machine.

Bitwarden

Bitwarden is open-source and genuinely zero-knowledge. The gaps for technical teams: no dedicated SSH key or API key field types, SAML SSO requires the Enterprise plan (significant additional cost), EU data residency is not guaranteed on the standard plan, and there is no Cyber Essentials certification for UK supply chain requirements.

Bitwarden is a solid choice for generic password storage. It is not designed for teams managing SSH keys, API tokens and infrastructure credentials.

What makes SealedKeys different

🔑

SSH & API key types

Dedicated field layouts for SSH private keys (fingerprint, passphrase, associated service) and API tokens (name, environment, expiry). Not generic password fields with workarounds.

📋

Per-copy audit log

Every time a user copies a password, API key or SSH key — we record: who (email address), what (which field), when (timestamp), where (IP address). Stored in your EU-hosted database. Not on a third-party logging server.

🇪🇺

EU data residency — all plans

All data is stored on Hetzner EU infrastructure. No enterprise agreement required. Relevant for UK GDPR, EU data residency requirements, and government supply chain audits.

🔐

True zero-knowledge

The vault key is derived client-side using PBKDF2-SHA256 (600,000 iterations). The server stores only AES-256-GCM ciphertext. The full encryption implementation is open-source and independently auditable on GitHub.

✅

Cyber Essentials certified

UK Cyber Essentials certified with an independent penetration test completed May 2026 — zero exploitable findings across 42 test cases. Required for some UK government supply chain contracts.

💻

CLI tool

The SealedKeys CLI lets developers access secrets from the terminal and CI/CD pipelines. sealedkeys get "DB password" --field password --raw. Zero-knowledge — all decryption is local.

Feature comparison

Feature	SealedKeys	LastPass	Bitwarden	1Password
Zero-knowledge architecture	✓ Key never leaves browser	✗ Breached 2022; server-side hash	✓	✓ Server-assisted KDF
SSH key storage (dedicated type)	✓	✗	✗	✓
API key storage (dedicated type)	✓	✗	✗	✗
Per-copy audit log (who copied what)	✓ Email, field, IP, timestamp	✓ Basic; on LP servers	✓ Enterprise plan only	✓ Business plan only
SAML 2.0 SSO — standard plan	✓ Included in Pro	✓ Teams plan	✗ Enterprise only	✗ Business plan required
EU data residency — all plans	✓ Hetzner EU, always	✗	✗ US by default	✓ Business plan
Cyber Essentials certified (UK)	✓	✗	✗	✗
Open-source encryption layer	✓ github.com/sealedkeys/crypto	✗	✓	✗
CLI tool for terminal / CI-CD	✓	✗	✓ bw CLI	✓ op CLI
Contractor offboarding checklists	✓	✗	✗	✗
Independent pentest (2026)	✓ 0 exploitable findings	✗ Not published	✗ Not recent	✗
Price (Pro / per user / month)	£3.49	~£3.00	~£2.80	~£6.50

Prices and features correct as of May 2026. Verify directly with each vendor.

Security architecture — the short version

How your vault stays safe

You create your account with a master password.
Your browser runs PBKDF2-SHA256 (600,000 iterations) to derive a 256-bit AES key. This key never leaves your browser.
Every secret is encrypted with AES-256-GCM before being sent to the server.
The server stores only ciphertext + IV. Even a full database breach exposes nothing readable.
The encryption implementation is published on GitHub. Any developer can verify the zero-knowledge claim.

What the server can and cannot see

Data	Visible to server?
Your master password	✗ Never
Your vault key	✗ Never
Plaintext passwords / keys	✗ Never
Vault item names (metadata)	✓ Yes
Audit events (who copied what)	✓ Yes (your data)
Encrypted ciphertext blobs	✓ Yes (unreadable)

Certifications & independent verification

✓ UK Cyber Essentials Certified

✓ Independent Pentest — May 2026

✓ GDPR Compliant (UK & EU)

✓ DPA Available on Request

✓ Open-Source Encryption Layer

✓ EU Infrastructure (Hetzner)

✓ TLS 1.3 in Transit

✓ AES-256-GCM at Rest

May 2026 penetration test: Conducted by an independent security firm across 42 test cases covering authentication, session management, encryption implementation, API security, and access controls. Zero exploitable findings. Report available to enterprise prospects under NDA.

The audit log — your most important security control

The question that matters after any security incident is not "was our vault encrypted?" — it is "which credentials did the contractor copy before they left, and when?"

Chrome's clipboard logs nothing. Most password managers log to their own servers — you see a line item on a report, weeks later, if you ask for it.

SealedKeys logs every copy, view, edit and deletion to your own EU-hosted database in real time. You can query it, export it, and include it in a security incident report. It is your data, not a feature you rent from a vendor.

Sample audit log entries

james@acme.com ITEM_COPIED · password	5 Jun 23:04 89.247.x.x
alex@acme.com ITEM_COPIED · apiKey	5 Jun 17:31 82.19.x.x
sarah@acme.com ITEM_COPIED · sshPrivateKey	4 Jun 09:12 78.32.x.x
james@acme.com MEMBER_REMOVED · team	3 Jun 16:00 89.247.x.x

Every row: email · field name · timestamp · IP address

Pricing

Free

£0

forever

25 vault items
All secret types
CLI tool access
Security dashboard

Pro — most popular

£3.49

per user / month (or £34.90/year)

Unlimited vault items
SAML 2.0 SSO (Okta, Entra, Google)
Full audit log
Team vault sharing
Contractor offboarding
CLI tool
EU data residency

Enterprise

Talk to us

Everything in Pro
Custom SSO configuration
Dedicated account management
SLA & signed DPA
Pentest report (NDA)
Priority support
Custom contract terms

Common questions

"We already use Bitwarden / 1Password."

SealedKeys runs alongside your existing tool in under 30 minutes — we have importers for both. The question to ask your current provider: can you show me exactly which API keys the contractor who left last month copied, and from which IP address? If the answer is no, that is the gap SealedKeys fills.

"We need to go through IT security review."

We can supply: Cyber Essentials certificate, DPA, pentest report summary, open-source GitHub link for the encryption layer, architecture diagram, and a security questionnaire completed in advance. We are designed to pass IT security review — not to make it harder.

"Is a small company secure enough for our data?"

The zero-knowledge architecture means even we cannot read your vault. A breach of SealedKeys infrastructure exposes only AES-256-GCM ciphertext — mathematically worthless without the key, which never leaves your devices. The encryption implementation is public, independently audited, and open to inspection by your security team.

"What happens to our data if SealedKeys closes?"

Export your vault at any time in two formats: plaintext JSON (your data, readable immediately) or encrypted backup (decryptable via our open-source offline viewer with your master password — no SealedKeys account or servers required). You are never locked in.

"Can we get a trial without committing to a contract?"

Yes. The free tier gives every team member a fully functional account. Import your existing vault, explore the audit log, test the SSO integration. No credit card required. When you are ready to move to Pro, the migration is immediate.