Most password managers say they protect your data. A zero-knowledge password manager is built so the vendor cannot access your data — even if they wanted to.
In short
A zero-knowledge password manager encrypts every secret on your device before it reaches the server, so the vendor only ever stores unreadable ciphertext. SealedKeys derives your vault key in-browser with PBKDF2-SHA256 (600,000 iterations) and encrypts with AES-256-GCM, so even a full database breach exposes nothing readable.
Your master password never leaves your browser. It is used locally to derive an encryption key — the server only ever receives ciphertext.
Even with full database access, an attacker (or us) sees only encrypted blobs. There is no server-side key that unlocks them.
If SealedKeys were compromised tomorrow, your secrets would remain encrypted and unreadable without your master password.
Law enforcement can compel us to hand over the database. What they receive is ciphertext we cannot decrypt — because we don't hold the key.
SealedKeys uses standard, widely-reviewed cryptographic primitives — nothing proprietary.
Key derivation
vaultKey = PBKDF2(masterPassword, email + "sealedkeys_v1", 600,000 iterations, SHA-256)600,000 iterations makes brute-force attacks computationally expensive. Runs in your browser via the Web Crypto API — the master password never leaves your device.
Encryption
encryptedData = base64url(randomIV[12] || AES-256-GCM(vaultKey, secretJSON))A fresh random IV for every item. AES-256-GCM provides both confidentiality and integrity — tampering is detectable.
Three ways to verify the zero-knowledge claim yourself.
The encryption implementation is open source on GitHub. You can read exactly how key derivation and encryption work — no trust required.
github.com/sealedkeys/crypto →Open DevTools → Network before unlocking your vault. You will see encrypted blobs sent to the server — never plaintext. The decryption happens after the data arrives in your browser.
Export your vault and open the offline viewer with no internet connection. Your data decrypts locally using only your master password — no server involved.
Download offline viewer →A zero-knowledge password manager derives the encryption key entirely on your device from your master password. Every secret is encrypted before it leaves your browser. The server stores only ciphertext — it has no key and cannot decrypt your data under any circumstances.
They are related but not identical. End-to-end encryption (E2EE) ensures data is encrypted between sender and recipient. Zero-knowledge goes further: it means the service provider has no ability to decrypt the data at any point — not in transit, not at rest, not under compulsion. SealedKeys is both E2EE and zero-knowledge.
An attacker who gains full database access would find only AES-256-GCM ciphertext. Without your master password they cannot decrypt a single item. The encryption key is derived client-side and never transmitted — it does not exist on our servers.
Three ways: (1) Read the open-source encryption layer on GitHub — no trust required. (2) Open DevTools → Network while unlocking your vault — you will see encrypted blobs arriving, never plaintext. (3) Export your vault and open the offline viewer with no internet — your data decrypts locally from your master password alone.
Correct. Because SealedKeys cannot derive your encryption key, we cannot recover a lost master password. We strongly recommend writing it down and storing it securely. Emergency access via a trusted contact is on the roadmap.
Key derivation: PBKDF2-SHA256 with 600,000 iterations. Encryption: AES-256-GCM with a fresh random 12-byte IV per item. All cryptography runs in the browser via the Web Crypto API — no third-party cryptography libraries.
Free to start — no credit card. Your data encrypted on your device from the first secret you save.