SSH private keys are among the most sensitive credentials a technical team holds. SealedKeys gives you a zero-knowledge encrypted vault for SSH keys — with access control, audit logs and instant revocation.
Designed for the actual shape of SSH key data — not a generic password field.
Dedicated field layout for private key, public key, passphrase, hostname and notes. No adapting password fields for a different data shape.
SSH private keys are encrypted in your browser with AES-256-GCM before leaving your device. The server never sees the private key.
Every time a private key is viewed or copied, it is logged with user, timestamp and IP. Know who accessed a server key and when.
Share individual keys with specific team members. Read-only access for contractors. Full revocation on offboarding.
Yes. SealedKeys has a dedicated SSH key secret type with fields for the private key, public key, optional passphrase, associated hostname and notes. The private key is encrypted in your browser before being sent to the server.
With zero-knowledge encryption, yes. The private key is encrypted with AES-256-GCM using a key derived from your master password. The server receives only ciphertext — if SealedKeys were breached, attackers would have an encrypted blob they cannot decrypt without your master password.
Yes. Contractors have their own SealedKeys accounts. You share the key item with them through the vault — they decrypt it with their own vault key. Their access can be revoked instantly when the contract ends.
Revoking access removes their ability to decrypt and view the key from that point forward. It does not delete any previously downloaded copies — which is why the audit log and proactive rotation on offboarding are important.
SealedKeys stores SSH keys as text — it is key-type agnostic. ed25519, RSA, ECDSA and any other format can be stored as a text value in the private key field.
25 items free. No credit card. Encrypted before it leaves your browser.