Ironclad is a command line utility for creating and managing encrypted password databases.
See the releases page for file hashes.
ironclad --help to view the application's command line help:
Usage: ironclad [FLAGS] [COMMAND] Ironclad is a command line password manager. Flags: --help Print the application's help text. --version Print the application's version number. Commands: add Add a new entry to a database. config Set or print a configuration option. decrypt Decrypt a file. delete Delete entries from a database. dump Dump a database's internal JSON store. edit Edit an existing database entry. encrypt Encrypt a file. export Export entries from a database. gen Generate a random password. import Import entries into a database. init Initialize a new password database. list List database entries. pass Copy a password to the clipboard. purge Purge deleted entries from a database. tags List database tags. user Copy a username to the clipboard. Command Help: help <command> Print the named command's help text.
ironclad help <command> to view the help text for a specific command.
The quickstart guide is a short tutorial for first-time users.
Ironclad is written in Go. If you have a Go compiler installed you can run:
$ go get github.com/dmulholland/ironclad/ironclad
This will download, compile, and install the latest version of the application
You can find the source files on Github.
Database files are encrypted using industry-standard cryptographic protocols.
- Data is encrypted using 256-bit AES in CBC mode.
- Padding is performed using the PKCS #7 padding scheme.
- Authentication is performed using the HMAC-SHA-256 protocol.
- Encryption keys are generated using 10,000 rounds of the PBKDF2 key derivation algorithm with an SHA-256 hash.
Encrypted files have no special markers and are indistinguishable from random data.
Note that this application is a cross-platform utility written in a high-level, garbage-collected language. It has not been hardened against system-local threats, e.g. malicious code running with user-level privileges on the user's system, or adversaries with physical access to the user's hardware.
Ironclad caches the master password in memory for a default period of 15 minutes from its last use. You can set a custom timeout using the
$ ironclad config timeout <minutes>
Setting the timeout to
0 will disable caching altogether.
Ironclad doubles as a simple file encryption utility using the
decrypt commands. Files are encrypted using the same 256-bit AES protocol as password databases. Original files are unaffected by either encryption or decryption.
I built this cross-platform utility as a prototype implementation of Ironclad's core idea — an open-source password manager organised around an elegantly simple JSON data store.
Complexity is the enemy of security, and Ironclad is as uncomplicated as possible. A password database is a simple JSON file which you can view using the
$ ironclad dump
This file is encrypted using 256-bit AES, an industry-standard protocol supported on all platforms and across all programming languages.
By design, alternative native clients – both graphical and command-line – are straightforward to implement and can take better advantage of the built-in security features offered by their specific operating systems.
Ironclad is a work in progress and feedback is welcome.
Ironclad is released under an MIT license.