Zero-knowledge · Cyber Essentials certified · EU hosted

Team Password Manager
built for technical teams

Stop sharing credentials over Slack. SealedKeys gives your team a zero-knowledge vault for passwords, API keys, SSH keys and secrets — with SSO, audit logs and Cyber Essentials certification.

In short

SealedKeys is a zero-knowledge team password manager for small technical teams, storing passwords, API keys and SSH keys in shared organisation vaults with Owner, Admin, Member and Read-only roles. All secrets are encrypted in the browser with AES-256-GCM before they reach the server, and SAML SSO is included in the Pro plan.

Replace every insecure workaround

The things technical teams actually do with credentials — and what to do instead.

Passwords shared in Slack or email
Encrypted vault with granular access control
Spreadsheets with API keys on shared drives
Typed secret fields — API keys, SSH keys, TOTP seeds
No record of who accessed what
Immutable audit log — every view, copy and change recorded
Offboarding leaves credential exposure
Revoke access instantly — secrets never leave the vault
Each person uses a different password manager
One team vault, shared access, individual accounts

Everything a technical team needs

Built by engineers, for engineers — not a dumbed-down consumer app.

Every secret type

Passwords, API keys, SSH keys, TOTP seeds, recovery codes and secure notes — all encrypted client-side before leaving your browser.

Team vaults

Separate vaults for different teams or projects. Share with contractors without exposing the rest of the vault.

Full audit trail

Every access, copy, edit and deletion is logged with timestamp, user and IP. Know exactly who did what and when.

SAML 2.0 SSO

Sign in via Okta, Entra ID or Google Workspace. Zero-knowledge preserved — your vault key never passes through the SSO provider.

Cyber Essentials certified

UK Government Cyber Essentials certified. Suitable for public sector suppliers and government contractors.

Zero-knowledge

Secrets are encrypted on your device. The server stores only ciphertext — we cannot read your data even if compelled to.

How SealedKeys compares

vs. LastPass Teams and Bitwarden Teams

FeatureSealedKeysLastPassBitwarden
Zero-knowledge architecture
SAML 2.0 SSO included
SSH key storage
API key storage with notes
Cyber Essentials certified
Open-source encryption layer
EU data residency
Price per user/month£3.49£6.50+£3.99+

Not just passwords

Most password managers are built for website logins. SealedKeys is built for the full range of secrets a technical team holds.

Passwords & logins
SSH private keys
API keys & tokens
TOTP / 2FA seeds
Recovery & backup codes
Encrypted notes

Common questions

Can we try SealedKeys before committing?

Yes. The Free plan includes 25 vault items and full access to every feature — zero-knowledge encryption, audit log, all secret types. No credit card required. Upgrade to Pro at £3.49/user/month when you need more capacity.

Does SealedKeys support SSO with our identity provider?

Yes. SealedKeys supports SAML 2.0, compatible with Okta, Microsoft Entra ID (formerly Azure AD) and Google Workspace. The zero-knowledge architecture is fully preserved — the identity provider handles authentication only. Each user's vault key is still derived client-side from a separate vault password.

What secret types can the team store?

SealedKeys supports six secret types: website logins (username, password, URL, TOTP seed), API keys and tokens, SSH private keys, recovery and backup codes, and secure notes. All are encrypted identically with AES-256-GCM before leaving the browser.

How does zero-knowledge work across a team?

Each team member derives their own vault key from their master password using PBKDF2 — this never leaves their device. Shared vault items are encrypted with an organisation key that is itself wrapped in each member's individual key. The server stores only ciphertext; even with database access we cannot read your secrets.

Is there a limit on team size?

The Free plan supports up to 3 members per organisation. Pro at £3.49/user/month supports unlimited members and unlimited organisations — suitable for large teams, multiple departments, or contractor access.

What happens when a team member or contractor leaves?

Revoke their access in Settings → Members. Immediately after revocation they can no longer authenticate or decrypt vault items. SealedKeys also provides an offboarding checklist so you can identify and rotate any secrets the departing member had access to.

Get your team on SealedKeys

Free to start — no credit card. Takes 2 minutes to set up. Your credentials stop living in Slack.