Over LastPass and Bitwarden. We'll also tell you where they have the advantage — because if SealedKeys isn't the right fit, you should know that too.
In short
SealedKeys is a zero-knowledge password manager built for technical teams, with dedicated SSH and API key types, a per-copy audit log, EU hosting on every plan, Cyber Essentials certification, and a May 2026 independent pentest. It is currently web-only — no browser extension yet.
A contractor leaves on a Friday. On Monday you realise three credentials may be compromised. The question that matters is not “was our vault encrypted?” — it is “which specific fields did they copy, from which device, at what time?”
LastPass gives you a vague event list, stored on LastPass servers, on paid plans. Bitwarden's audit log is Enterprise-only and logs item-level access, not the specific field copied. Neither tells you whether James copied the password field or just viewed the item name.
SealedKeys logs every copy, view, edit and deletion with: the user's email address, the exact field name (password, apiKey, sshPrivateKey), the timestamp, and the IP address. Stored in your own EU-hosted database, queryable and exportable.
| User | Field copied |
|---|---|
| james@acme.com | password |
| alex@acme.com | apiKey |
| sarah@acme.com | sshPrivateKey |
| james@acme.com | — |
Row 1: James copied the password field from Production DB at 11pm on a Friday from an IP you don't recognise. You know in 30 seconds. That's the difference.
LastPass and Bitwarden store all credentials as generic password entries or secure notes. If you're storing an SSH private key, you create a note, paste the key in, and hope your team knows which field to use. There's no concept of a fingerprint, passphrase, or associated service — because the product wasn't designed for it.
LastPass / Bitwarden
SSH private key goes in… Notes? Password? Up to you.
SealedKeys — SSH Key type
Right fields, right labels, right type.
SealedKeys has dedicated types for SSH keys (key name, private key, public key, fingerprint, environment) and API tokens (token name, key value, environment, expiry date, associated service). The audit log then records exactly which field was copied — sshPrivateKey vs sshPublicKey — not just “SSH Key item was accessed.”
In December 2022, LastPass confirmed that attackers had exfiltrated encrypted customer vaults. The fundamental problem: LastPass's server-side architecture meant encrypted vault data could be scooped up en masse, leaving attackers to attempt offline decryption at their leisure using hardware they control.
Bitwarden gets the architecture right — vault keys are derived client-side, the server stores only ciphertext. SealedKeys uses the same approach: PBKDF2-SHA256 with 600,000 iterations, AES-256-GCM, client-side only. The encryption implementation is published on GitHub so any developer can verify the zero-knowledge claim.
Server-side key derivation. Encrypted vaults exfiltrated. Breach publicly confirmed by LastPass. No post-quantum encryption.
Correct zero-knowledge architecture. No recent independent pentest published. No post-quantum encryption.
Client-side KDF. Open-source. Independent pentest May 2026 — 0 findings. ML-KEM-768 hybrid encryption (NIST FIPS 203).
The difference between SealedKeys and Bitwarden here is verification: SealedKeys completed an independent penetration test in May 2026 with zero exploitable findings. The report is available to enterprise customers under NDA. Bitwarden does not publish equivalent recent results.
SealedKeys also ships ML-KEM-768 hybrid encryption — the NIST FIPS 203 post-quantum standard — protecting against harvest-now-decrypt-later attacks. Neither LastPass nor Bitwarden has implemented this. Learn how it works →
LastPass does not offer EU data residency. Bitwarden defaults to US infrastructure — EU hosting is only available on the Enterprise plan, which means a sales conversation and significantly higher per-user cost just to store your data in Europe.
SealedKeys runs on Hetzner EU infrastructure on every plan, including free. No tiers, no upsells, no “available on Enterprise.” For any UK or EU business with data residency requirements — or anyone supplying UK government contracts — this removes a procurement question before it gets asked.
LastPass
No EU data residency option
Bitwarden
Requires enterprise plan upgrade
SealedKeys
Hetzner EU — all plans, always
UK Cyber Essentials certification is a government-backed scheme that assesses an organisation against five technical controls. For teams supplying public sector contracts, NHS, MOD, or any government-adjacent work, it is frequently a hard procurement requirement — not a nice-to-have.
Neither LastPass nor Bitwarden holds UK Cyber Essentials certification as of May 2026. SealedKeys does. If your prospective customer or procurement team asks “are you Cyber Essentials certified?” — the answer is yes, with the certificate number available on request.
Cyber Essentials certified
Verified by an accredited body. Certificate available at registry.blockmarktech.com. Relevant for UK government supply chain requirements, NHS, MOD, and any buyer running a Cyber Essentials supplier check.
Both have polished browser extensions with auto-fill. SealedKeys is web-only for now — no extension yet. If autofill is a hard requirement today, be upfront about it.
Both have iOS and Android apps with biometric unlock. SealedKeys has no mobile app currently. It is on the roadmap.
Bitwarden has been running since 2016. SealedKeys is earlier-stage with a shorter history. That means fewer case studies — not a less secure product.
| Feature | SealedKeys | LastPass | Bitwarden |
|---|---|---|---|
| Who copied which field — exact audit log | Email, field name, IP, timestamp on every event | Basic event list on LP servers | Enterprise plan only |
| SSH key storage (dedicated type) | Dedicated field layout: key name, fingerprint, environment | Generic secure note | Generic secure note |
| API key storage (dedicated type) | Dedicated field layout: key name, environment, expiry | Generic password entry | Generic password entry |
| Zero-knowledge architecture | Client-side KDF. Pentest May 2026 — 0 findings | Breached Dec 2022. Server-side key derivation implicated | Client-side KDF. No recent independent pentest published |
| Post-quantum encryption (NIST FIPS 203) | ML-KEM-768 hybrid — shipped | Not implemented | Not implemented |
| EU data residency | All plans. Hetzner EU infrastructure. No enterprise deal needed | Not available | Enterprise plan only |
| Cyber Essentials certified (UK) | Yes — required for UK gov supply chain work | No | No |
| SAML 2.0 SSO | Included in Pro (£3.49/user/month) | Business plan | Enterprise plan only |
| CLI tool for terminal / CI-CD | Yes — zero-knowledge, decryption is local | No | Yes (bw CLI) |
| Price | £3.49/user/month Pro | ~£5.50/user/month | ~£2.80/user/month (Enterprise ~£4.50+) |
Features and prices correct as of May 2026. Verify directly with each vendor before making a decision.
Free to start — 25 vault items, no credit card. Import your LastPass or Bitwarden export in minutes.