Stop sharing credentials over Slack. SealedKeys gives your team a zero-knowledge vault for passwords, API keys, SSH keys and secrets — with SSO, audit logs and Cyber Essentials certification.
In short
SealedKeys is a zero-knowledge team password manager for small technical teams, storing passwords, API keys and SSH keys in shared organisation vaults with Owner, Admin, Member and Read-only roles. All secrets are encrypted in the browser with AES-256-GCM before they reach the server, and SAML SSO is included in the Pro plan.
The things technical teams actually do with credentials — and what to do instead.
Built by engineers, for engineers — not a dumbed-down consumer app.
Passwords, API keys, SSH keys, TOTP seeds, recovery codes and secure notes — all encrypted client-side before leaving your browser.
Separate vaults for different teams or projects. Share with contractors without exposing the rest of the vault.
Every access, copy, edit and deletion is logged with timestamp, user and IP. Know exactly who did what and when.
Sign in via Okta, Entra ID or Google Workspace. Zero-knowledge preserved — your vault key never passes through the SSO provider.
UK Government Cyber Essentials certified. Suitable for public sector suppliers and government contractors.
Secrets are encrypted on your device. The server stores only ciphertext — we cannot read your data even if compelled to.
vs. LastPass Teams and Bitwarden Teams
| Feature | SealedKeys | LastPass | Bitwarden |
|---|---|---|---|
| Zero-knowledge architecture | — | ||
| SAML 2.0 SSO included | — | — | |
| SSH key storage | — | — | |
| API key storage with notes | — | — | |
| Cyber Essentials certified | — | — | |
| Open-source encryption layer | — | ||
| EU data residency | — | — | |
| Price per user/month | £3.49 | £6.50+ | £3.99+ |
Most password managers are built for website logins. SealedKeys is built for the full range of secrets a technical team holds.
Yes. The Free plan includes 25 vault items and full access to every feature — zero-knowledge encryption, audit log, all secret types. No credit card required. Upgrade to Pro at £3.49/user/month when you need more capacity.
Yes. SealedKeys supports SAML 2.0, compatible with Okta, Microsoft Entra ID (formerly Azure AD) and Google Workspace. The zero-knowledge architecture is fully preserved — the identity provider handles authentication only. Each user's vault key is still derived client-side from a separate vault password.
SealedKeys supports six secret types: website logins (username, password, URL, TOTP seed), API keys and tokens, SSH private keys, recovery and backup codes, and secure notes. All are encrypted identically with AES-256-GCM before leaving the browser.
Each team member derives their own vault key from their master password using PBKDF2 — this never leaves their device. Shared vault items are encrypted with an organisation key that is itself wrapped in each member's individual key. The server stores only ciphertext; even with database access we cannot read your secrets.
The Free plan supports up to 3 members per organisation. Pro at £3.49/user/month supports unlimited members and unlimited organisations — suitable for large teams, multiple departments, or contractor access.
Revoke their access in Settings → Members. Immediately after revocation they can no longer authenticate or decrypt vault items. SealedKeys also provides an offboarding checklist so you can identify and rotate any secrets the departing member had access to.
Free to start — no credit card. Takes 2 minutes to set up. Your credentials stop living in Slack.