Password Manager for Business

PassCryp gives your team a centralized, zero-knowledge vault for every shared credential — SaaS logins, infrastructure passwords, API keys, payment processor secrets. Add members, share by project, revoke instantly. Built for teams of 5 to 50.

Start your free vault Security model

Shared vaults by project

Group credentials by team, project, or environment. Members see only the vaults they're assigned to.

Per-vault keys

Each shared vault has its own AES key, wrapped to each member's public key. Revoking a member rotates the key client-side.

Audit log for every reveal

Every time a credential is viewed, copied, or shared, the action is logged with user, IP, and timestamp.

Onboarding in minutes

Invite by email. Members set their own master password. Vault keys are wrapped to them automatically.

Affordable per-seat pricing

Pro at $5.99/seat/month covers shared vaults, audit logs, and CLI access. No enterprise minimum.

Why centralized credentials matter

Shared credentials in chat threads, sticky notes, or a spreadsheet are how most small-business breaches start. One employee gets phished, the attacker reads the chat history, every password rolls out at once. Centralizing in an encrypted vault closes that gap.

PassCryp's shared vaults give you a single source of truth: the credential lives in one place, every team member sees the same version, rotation propagates to everyone instantly, and revoking a departed employee removes their access in one click.

How sharing works without us seeing plaintext

When you create a shared vault, your browser generates a fresh 256-bit AES vault key. The key is wrapped to your own public key (so you can decrypt it later) and to each member's public key as you add them. We store the wrapped copies; we never see the underlying key.

When you revoke a member, the client generates a new vault key, re-encrypts every item in the vault to the new key, and re-wraps the new key to remaining members. The revoked member's wrapped copy becomes useless — they cannot decrypt the new ciphertext.

Audit logs are tamper-evident: every action writes a row to an append-only log, signed by the actor's session. Logs ship to your admin dashboard in real time.

Provisioning, deprovisioning, and offboarding

Add a member: enter their email, choose vaults to grant. They receive an invite, set a master password, and the vault keys wrap to their public key automatically.

Remove a member: one click in the admin dashboard. Their session terminates, their wrapped vault keys are deleted, and the affected vaults re-key automatically. Average time from click to fully revoked access: under 10 seconds.

For larger teams (50+), enterprise SSO and SCIM provisioning are on the roadmap — today, we recommend manual invite for teams under 50 seats. For more advanced IAM needs, see our 1Password and Bitwarden comparisons.

Frequently asked questions

How many users can I add?

Pro plan covers up to 25 seats. Beyond that, contact us for custom pricing.

Do you support SSO?

SAML SSO is on the 2026 roadmap. For teams under 50, manual invite + per-member master passwords is the recommended flow today.

Can admins see member vault contents?

No. Admins manage who has access; they cannot decrypt members' personal vaults. Shared vaults are visible to members assigned to them, not to admins by default.

What happens when an employee leaves?

Revoke their access from the admin dashboard. Their session terminates, vault keys re-rotate, and they lose access to all shared vaults instantly.

Is there an audit log?

Yes — every reveal, share, edit, and admin action is logged with timestamp, user, and IP. Logs export to CSV or JSON.

How is pricing structured?

Pro at $5.99/seat/month, billed monthly. No annual lock-in, no enterprise minimum, no SCIM-only tier.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault