
Keyhold.io was a specialized zero-knowledge secret custody platform designed specifically for teams and businesses that needed to securely collect and manage credentials belonging to their clients rather than their own internal systems. The platform targeted IT field engineering businesses, managed service providers (MSPs), IT teams, and agencies who regularly received sensitive access credentials from clients through insecure channels like email, Slack DMs, and text messages. Its core value proposition centered on eliminating the trust issues inherent in third-party communication systems by ensuring that no one—not even the platform operators themselves—could read the stored credentials, providing what the founder described as a solution for that nagging feeling that 'there has to be a better way' to handle this critical security workflow.
The concrete problem Keyhold.io aimed to solve was the insecure transmission and storage of client credentials through everyday communication tools that weren't designed for sensitive data protection. Businesses like IT field engineering services constantly received server logins, network access credentials, API keys, and configuration files from clients who had no secure method to share them. This created significant security risks and compliance concerns, as these credentials flowed through systems the receiving business didn't fully trust with such sensitive information. The platform addressed why this mattered by providing a dedicated, encrypted channel specifically for credential exchange, transforming an ad-hoc, risky process into a controlled, auditable security workflow that protected both the client sharing credentials and the business receiving them.
One major feature group was the zero-knowledge encryption architecture with split-key decryption. The platform implemented AES-256-GCM encryption where all credentials were encrypted directly in the user's browser before any data ever touched Keyhold.io's servers. The decryption key was strategically split between AWS Key Management Service (KMS) and the user's own device, creating a cryptographic design where not even the platform operators could read the stored secrets. This technical implementation meant that the company running Keyhold.io literally couldn't access the plaintext credentials even if compelled to do so, which the founder noted would satisfy even a paranoid CISO's security requirements while fundamentally changing the trust model of credential management platforms.
A second major feature group involved the secure collection workflow and audit capabilities. Clients could submit passwords, API keys, and config files through encrypted links that maintained end-to-end protection throughout the entire process. The platform provided full audit trails that documented every access and action taken with stored credentials, combined with role-based access controls that allowed businesses to manage precisely who within their team could view or use specific client secrets. This created a verifiable chain of custody for sensitive credentials, addressing compliance needs and internal security policies while maintaining the zero-knowledge guarantee that prevented even administrators from viewing the actual credential contents without proper authorization.
admin
Additional capabilities included integration with common collaboration platforms through Slack and Microsoft Teams notifications, which alerted teams when new credentials were submitted or accessed. The platform also offered bulk onboarding features to efficiently manage multiple clients or credential sets simultaneously. However, the architecture's strict zero-knowledge design created limitations, as some potential users requested APIs that could programmatically read secrets or automated workflows requiring plaintext access—functionality fundamentally incompatible with the core security model where even the platform couldn't decrypt the stored data, highlighting the tension between maximum security and practical integration needs.
The product worked through a specific methodology where clients would receive an encrypted link to a submission portal where they could enter credentials directly into their browser. The system would immediately encrypt this data client-side using strong cryptography before transmitting the ciphertext to Keyhold.io's servers for storage. Authorized team members could then access these encrypted credentials through a web interface where the split-key system would reassemble decryption capability only with proper authentication and authorization. This workflow ensured that plaintext secrets never existed on Keyhold.io infrastructure, with all cryptographic operations happening either in the user's browser or through AWS KMS services that the platform couldn't directly access.
Concrete use cases included IT field engineering businesses like the founder's own Smart Hands company, which needed secure methods for clients to share server room access codes, network equipment passwords, and temporary administrative credentials for on-site work. Managed service providers (MSPs) could use the platform to collect client infrastructure passwords during onboarding processes without risking exposure through email. Agencies handling client marketing platforms or SaaS tools could securely receive API keys and account credentials while maintaining audit trails of which team member accessed which client system. The outcome was a verifiable, encrypted credential exchange that eliminated the security risks of traditional communication methods while providing documentation for compliance requirements.
The target users were specifically businesses handling client credentials rather than their own internal secrets—IT field engineering services, managed service providers (MSPs), IT support teams, digital agencies, and similar professional service organizations. The platform operated as a web application with infrastructure built on AWS services including KMS for key management and S3 for storage, priced at a flat £50 per month without per-seat licensing. The key takeaway reinforced that while the platform offered technically sophisticated zero-knowledge security for credential exchange, the market demand for this specific architecture was limited by practical workflow requirements that needed more flexible access to plaintext secrets than the strict security model could accommodate.
Keyhold.io specifically targeted businesses that managed credentials belonging to their clients rather than internal systems: IT field engineering services, managed service providers (MSPs), IT teams at agencies, and professional service organizations that regularly received sensitive access credentials from clients through insecure channels. The platform was designed for teams needing to solve the trust issues inherent in using third-party communication systems for credential exchange while maintaining compliance and audit requirements.
Updated 2026-02-28