Most password managers say they protect your data. A zero-knowledge password manager is built so the vendor cannot access your data — even if they wanted to.
Your master password never leaves your browser. It is used locally to derive an encryption key — the server only ever receives ciphertext.
Even with full database access, an attacker (or us) sees only encrypted blobs. There is no server-side key that unlocks them.
If SealedKeys were compromised tomorrow, your secrets would remain encrypted and unreadable without your master password.
Law enforcement can compel us to hand over the database. What they receive is ciphertext we cannot decrypt — because we don't hold the key.
SealedKeys uses standard, widely-reviewed cryptographic primitives — nothing proprietary.
Key derivation
vaultKey = PBKDF2(masterPassword, email + "sealedkeys_v1", 600,000 iterations, SHA-256)600,000 iterations makes brute-force attacks computationally expensive. Runs in your browser via the Web Crypto API — the master password never leaves your device.
Encryption
encryptedData = base64url(randomIV[12] || AES-256-GCM(vaultKey, secretJSON))A fresh random IV for every item. AES-256-GCM provides both confidentiality and integrity — tampering is detectable.
Three ways to verify the zero-knowledge claim yourself.
The encryption implementation is open source on GitHub. You can read exactly how key derivation and encryption work — no trust required.
github.com/sealedkeys/crypto →Open DevTools → Network before unlocking your vault. You will see encrypted blobs sent to the server — never plaintext. The decryption happens after the data arrives in your browser.
Export your vault and open the offline viewer with no internet connection. Your data decrypts locally using only your master password — no server involved.
Download offline viewer →25 items free. No credit card. Your data encrypted on your device from the first secret you save.