Zero-Knowledge
Password Manager

Most password managers say they protect your data. A zero-knowledge password manager is built so the vendor cannot access your data — even if they wanted to.

In short

A zero-knowledge password manager encrypts every secret on your device before it reaches the server, so the vendor only ever stores unreadable ciphertext. SealedKeys derives your vault key in-browser with PBKDF2-SHA256 (600,000 iterations) and encrypts with AES-256-GCM, so even a full database breach exposes nothing readable.

What zero-knowledge actually means

Encryption happens on your device

Your master password never leaves your browser. It is used locally to derive an encryption key — the server only ever receives ciphertext.

The server cannot read your secrets

Even with full database access, an attacker (or us) sees only encrypted blobs. There is no server-side key that unlocks them.

A breach doesn't expose your data

If SealedKeys were compromised tomorrow, your secrets would remain encrypted and unreadable without your master password.

We cannot comply with a demand to hand over your secrets

Law enforcement can compel us to hand over the database. What they receive is ciphertext we cannot decrypt — because we don't hold the key.

Zero-knowledge vs. encrypted storage

Encrypted storage (not zero-knowledge)

  • ·Server holds the encryption keys
  • ·Vendor can decrypt your secrets
  • ·A breach or court order exposes your data
  • ·You rely on the vendor's privacy promises
  • ·Common in enterprise password managers

Zero-knowledge (SealedKeys)

  • ·Encryption key derived on your device only
  • ·Server stores only AES-256-GCM ciphertext
  • ·A breach exposes nothing readable
  • ·Mathematically impossible for us to decrypt
  • ·Verifiable — open source, auditable

How it works

SealedKeys uses standard, widely-reviewed cryptographic primitives — nothing proprietary.

Key derivation

vaultKey = PBKDF2(masterPassword, email + "sealedkeys_v1", 600,000 iterations, SHA-256)

600,000 iterations makes brute-force attacks computationally expensive. Runs in your browser via the Web Crypto API — the master password never leaves your device.

Encryption

encryptedData = base64url(randomIV[12] || AES-256-GCM(vaultKey, secretJSON))

A fresh random IV for every item. AES-256-GCM provides both confidentiality and integrity — tampering is detectable.

Don't take our word for it

Three ways to verify the zero-knowledge claim yourself.

1

Read the source code

The encryption implementation is open source on GitHub. You can read exactly how key derivation and encryption work — no trust required.

github.com/sealedkeys/crypto
2

Inspect the network traffic

Open DevTools → Network before unlocking your vault. You will see encrypted blobs sent to the server — never plaintext. The decryption happens after the data arrives in your browser.

3

Use the offline viewer

Export your vault and open the offline viewer with no internet connection. Your data decrypts locally using only your master password — no server involved.

Download offline viewer

Frequently asked questions

What is a zero-knowledge password manager?

A zero-knowledge password manager derives the encryption key entirely on your device from your master password. Every secret is encrypted before it leaves your browser. The server stores only ciphertext — it has no key and cannot decrypt your data under any circumstances.

Is zero-knowledge the same as end-to-end encryption?

They are related but not identical. End-to-end encryption (E2EE) ensures data is encrypted between sender and recipient. Zero-knowledge goes further: it means the service provider has no ability to decrypt the data at any point — not in transit, not at rest, not under compulsion. SealedKeys is both E2EE and zero-knowledge.

What happens if SealedKeys is hacked?

An attacker who gains full database access would find only AES-256-GCM ciphertext. Without your master password they cannot decrypt a single item. The encryption key is derived client-side and never transmitted — it does not exist on our servers.

How can I verify SealedKeys is actually zero-knowledge?

Three ways: (1) Read the open-source encryption layer on GitHub — no trust required. (2) Open DevTools → Network while unlocking your vault — you will see encrypted blobs arriving, never plaintext. (3) Export your vault and open the offline viewer with no internet — your data decrypts locally from your master password alone.

Does zero-knowledge mean you can never recover my vault?

Correct. Because SealedKeys cannot derive your encryption key, we cannot recover a lost master password. We strongly recommend writing it down and storing it securely. Emergency access via a trusted contact is on the roadmap.

Which encryption algorithms does SealedKeys use?

Key derivation: PBKDF2-SHA256 with 600,000 iterations. Encryption: AES-256-GCM with a fresh random 12-byte IV per item. All cryptography runs in the browser via the Web Crypto API — no third-party cryptography libraries.

Try a password manager that can't read your secrets

Free to start — no credit card. Your data encrypted on your device from the first secret you save.