"SealedKeys is a zero-knowledge vault for teams. It's where you store every secret your business runs on — passwords, API keys, SSH keys, deployment tokens, contractor credentials — all encrypted on your device before it ever reaches our servers. Even if we were hacked, there would be nothing to steal. It's free to start and £1.99 per user per month to scale."
SealedKeys is a zero-knowledge secrets vault — a secure place to store, organise and share every type of business credential, with team access controls and a full audit trail.
Username, password, URL. The familiar password manager use case.
Stripe keys, GitHub tokens, AWS credentials, Twilio — all tagged and organised.
Private keys stored encrypted. Never visible to our servers — ever.
2FA backup codes, safe and accessible when you need them most.
Free-text encrypted notes for anything sensitive that doesn't fit a template.
Database credentials, certificates, and custom templates on the roadmap.
"Think of it like a safe where only you know the combination. We built the safe and we store it for you, but the combination is in your head — we never know it. So even if someone broke into our building and stole the safe, it would be useless without your combination."
"Your master password never leaves your browser. We use PBKDF2 at 600,000 iterations to derive a 256-bit AES-GCM key entirely client-side. Every secret is encrypted with that key before the API call is made. The server receives and stores only opaque base64url ciphertext. We literally cannot decrypt your data — there's no backdoor, no recovery path, and no master key on our side."
| Plan | Price | Who it's for | Key limits |
|---|---|---|---|
| Free | £0 forever | Individuals, solo founders, evaluation | 50 items · 1 org · 3 members · 30-day audit log |
| Pro ⭐ | £1.99 / user / month | Growing teams, agencies, startups | Unlimited items · Unlimited orgs & members · 1-year audit log |
| Enterprise | Custom | Larger orgs, compliance-driven buyers | Everything in Pro + SCIM · Dedicated instance · SLA · BAA |
Selling point: At £1.99/user/month, a 10-person team pays £19.90/month — less than two coffees. Bitwarden Teams is $4/user/month. 1Password Business is $7.99/user/month. We are the most affordable true zero-knowledge team vault on the market.
There are two types of competitor. Know which one you're being compared to.
These are built for personal password storage. Teams are an afterthought bolted on later. They're priced for enterprise and aren't designed for technical secrets like SSH keys and API tokens at scale.
These are CLI-first, infrastructure-heavy tools for injecting secrets into CI/CD pipelines. They require engineering time to set up and maintain. Non-technical teammates can't use them.
We are the team-first, zero-knowledge vault that non-developers can actually use, while being technically rigorous enough that developers trust the security model. One vault for the whole company — passwords, API keys and SSH keys in the same place, with proper roles and a proper audit trail.
| Feature | SealedKeys | LastPass Teams | Bitwarden Teams | Doppler |
|---|---|---|---|---|
| True zero-knowledge | ✓ Yes | ✗ (had breach 2022) | ✓ Yes | ✗ Server-side keys |
| SSH key storage | ✓ Yes | ✗ No | Partial | ✗ No |
| Non-technical UI | ✓ Yes | ✓ Yes | ✓ Yes | ✗ CLI-first |
| Contractor offboarding | ✓ Built-in | Manual | Manual | Partial |
| Price per user/month | £1.99 | $4.00 | $4.00 | $6.00+ |
| Free tier | ✓ 50 items | ✗ Removed | ✓ Limited | ✓ Limited |
In December 2022, LastPass suffered a breach in which encrypted customer vaults were stolen. Attackers were able to crack weak master passwords and access plaintext credentials. This is a powerful, factual reason to choose a more modern, auditable architecture. Use it when a prospect mentions LastPass — don't mention it unprompted.
The ideal demo takes 12–15 minutes. Open sealedkeys.com in a browser with a pre-created demo account.
"This is our homepage. Notice the trust bar at the top — AES-256-GCM, zero plaintext stored. We're going to show you exactly what that means in practice, not just as marketing copy."
"Notice what happens when you register. We ask for a master password and we tell you immediately: we cannot recover this. That's because we never store it — not even hashed in a way that's useful. Your vault key is derived right here in your browser. Watch the URL bar — no data leaves this page until you hit 'Create vault'."
"Let me add a secret — I'll use a real-world example your team will recognise. Let's say this is your Stripe production API key."
"Now let's talk about teams. Most of your secrets aren't just yours — they belong to the company. Here's how you share them without losing control."
"Here's the audit log. Every single action — who viewed it, who copied it, who changed it, when, from what session. If a credential leaks, you know exactly who had access and when. This is what compliance auditors want to see."
"Here's something no other password manager has. SealedKeys analyses every secret in your vault — right here in your browser, without sending anything to us — and gives you a security score. It spots weak passwords, reused credentials, secrets that haven't been rotated in 90 days, and passwords that appear in known data breaches. That last check uses a technique called k-anonymity: we send only the first five characters of a SHA-1 hash to HaveIBeenPwned — never the actual password."
"Free to start today — no card needed. If you have five people who need shared access, that's £9.95 a month on Pro. Less than a round of coffees, and you've eliminated the single biggest source of company data breaches."
Pain: Engineers paste API keys into Slack. Founders share server passwords over email. No one knows what the last contractor had access to.
Champion: CTO or Lead Developer
Hook: "One source of truth for every secret, with a full audit trail. Free to start."
Pain: Managing credentials for 20+ client accounts. Client handoffs are chaotic. Offboarding freelancers is manual and risky.
Champion: Head of Operations or Tech Lead
Hook: "Per-client organisation vaults with read-only contractor access and one-click offboarding."
Pain: Passed a pen test, failed a compliance audit, or had a near-miss leak. Now they need to show evidence of secrets governance.
Champion: CISO, Head of Engineering, or whoever got the audit finding
Hook: "Full audit log, role-based access, zero-knowledge encryption — all the evidence an auditor wants to see."
Pain: Managing credentials for multiple clients on personal devices, without mixing them or exposing one client's secrets to another.
Champion: The freelancer themselves
Hook: "Separate organisation vault per client. Free tier covers most freelancers."
Use these in your first call to qualify quickly and uncover pain.
"There's no risk to trying — sign up free at sealedkeys.com, add your first few secrets, invite a colleague. If it fits, upgrading to Pro is one click. If you have five people, that's £9.95 a month — I'll send you a calendar invite for a 15-minute check-in next week to see if you have any questions."
"You mentioned [the contractor situation / the spreadsheet / the near-miss]. That's exactly the scenario SealedKeys was built for. The free plan takes about three minutes to set up — it makes sense to have it in place before you need it rather than after."
"For your team size, the Enterprise plan gives you a dedicated instance, an SLA, and a BAA if you need it for compliance. Let me get a commercial proposal over to you by end of week — can we confirm the number of users and any specific compliance requirements?"
The following features were shipped after the initial launch and represent strong differentiators. Lead with them when speaking to security-conscious buyers or when a competitor comparison is happening.
Users can enable TOTP-based two-factor authentication from their account settings. After entering their password, they are prompted for a 6-digit code from their authenticator app (Google Authenticator, Authy, 1Password, etc.). Login is blocked without the correct code.
Setup is in-app: a QR code is shown, the user scans it, enters a code to confirm, and MFA is live. Disable requires confirming with a current code — no accidental lockouts.
"MFA is live on every account. If a team member's password is ever compromised — phishing, credential stuffing, reuse from another site — the attacker still can't get in without the second factor. For compliance purposes, you can tell an auditor that all SealedKeys accounts require MFA. That closes a lot of findings in one sentence."
The health dashboard runs entirely in the browser, after the vault is decrypted. No data is ever sent to our servers for this analysis. It performs four checks:
A 0–100 score ring (green / amber / red), four stat cards, and an issues list grouped by severity — Critical, High, Medium, Low. Each issue has a "Fix →" link that jumps directly to the affected vault item.
No competing product at this price point has a built-in security health score. It gives a security-conscious CTO instant visibility and gives a CISO something to report upward. It is a genuine AI-powered differentiator delivered at zero marginal cost.
The vault automatically locks after a configurable period of inactivity — 5, 15, 30 minutes, or 1 hour. When it locks, the decryption key is wiped from memory. The user must re-enter their master password (and MFA code if enabled) to unlock. Settings → Vault → Auto-lock timeout.
Many security policies and compliance frameworks require that sensitive systems lock after a period of inactivity. SealedKeys satisfies this requirement out of the box — no configuration beyond setting the timeout. Mention this to buyers with SOC 2 or ISO 27001 requirements.
"If someone leaves their laptop unlocked and walks away, SealedKeys locks itself. The vault key is wiped from memory — not just hidden, actually gone. The next person to sit down at that machine sees a login prompt, not an open vault. This is table stakes for any serious security policy."
SealedKeys gives users full control over their data with two export formats and an air-gapped offline viewer.
Decrypts all secrets in the browser and downloads them as a readable JSON file. Useful for migrating to another tool. Requires a confirm checkbox acknowledging the security risk. Never touches the server — the file is generated entirely in the browser.
Exports the raw AES-256-GCM ciphertext — mathematically identical to what is stored on our servers. Safe to store on a USB drive, NAS, or cloud storage without risk. Only decryptable with the user's master password.
Alongside the encrypted backup, SealedKeys provides a single self-contained HTML file — the Offline Vault Viewer. This file has zero external dependencies. Users can:
This is analogous to a hardware wallet's offline seed phrase recovery tool — a last-resort mechanism that gives users full access to their data even if SealedKeys as a company ceased to exist.
Selling point: Data portability is a trust signal. When a prospect asks "what if you go out of business?", the answer is: "You have your encrypted backup and the offline viewer on a USB drive. You will always be able to access your secrets regardless of what happens to us." No other SMB-tier vault can make that claim.
| Feature | SealedKeys | LastPass Teams | Bitwarden Teams | 1Password Business |
|---|---|---|---|---|
| True zero-knowledge | ✓ Yes | ✗ (breached 2022) | ✓ Yes | ✓ Yes |
| TOTP / MFA | ✓ Built-in | ✓ Yes | ✓ Yes | ✓ Yes |
| Security health score | ✓ Yes (+ breach check) | Partial | ✗ No | Partial |
| Vault auto-lock | ✓ Configurable | ✓ Yes | ✓ Yes | ✓ Yes |
| Offline / air-gapped viewer | ✓ Yes (single HTML file) | ✗ No | ✗ No | ✗ No |
| SSH key storage | ✓ Yes | ✗ No | Partial | ✗ No |
| Price per user/month | £1.99 | $4.00 | $4.00 | $7.99 |
SealedKeys Sales Manual · hello@sealedkeys.com · sealedkeys.com · Confidential