Darren Mulholland


A command line password manager.

Ironclad is a command line utility for creating and managing encrypted password databases.


See the releases page for file hashes.


Run ironclad --help to view the application's command line help:

Usage: ironclad [FLAGS] [COMMAND]

  Ironclad is a command line password manager.

  --help           Print the application's help text.
  --version        Print the application's version number.

  add              Add a new entry to a database.
  config           Set or print a configuration option.
  decrypt          Decrypt a file.
  delete           Delete entries from a database.
  dump             Dump a database's internal JSON store.
  edit             Edit an existing database entry.
  encrypt          Encrypt a file.
  export           Export entries from a database.
  gen              Generate a random password.
  import           Import entries into a database.
  init             Initialize a new password database.
  list             List database entries.
  pass             Copy a password to the clipboard.
  purge            Purge deleted entries from a database.
  tags             List database tags.
  user             Copy a username to the clipboard.

Command Help:
  help <command>   Print the named command's help text.

Run ironclad help <command> to view the help text for a specific command.

The quickstart guide is a short tutorial for first-time users.


Ironclad is written in Go. If you have a Go compiler installed you can run:

$ go get github.com/dmulholland/ironclad/ironclad

This will download, compile, and install the latest version of the application to your $GOPATH/bin directory.

You can find the source files on Github.


Database files are encrypted using industry-standard cryptographic protocols.

Encrypted files have no special markers and are indistinguishable from random data.

Note that this application is a cross-platform utility written in a high-level, garbage-collected language. It has not been hardened against system-local threats, e.g. malicious code running with user-level privileges on the user's system, or adversaries with physical access to the user's hardware.

Password Caching

Ironclad caches the master password in memory for a default period of 15 minutes from its last use. You can set a custom timeout using the config command:

$ ironclad config timeout <minutes>

Setting the timeout to 0 will disable caching altogether.

File Encryption

Ironclad doubles as a simple file encryption utility using the encrypt and decrypt commands. Files are encrypted using the same 256-bit AES protocol as password databases. Original files are unaffected by either encryption or decryption.


I built this cross-platform utility as a prototype implementation of Ironclad's core idea — an open-source password manager organised around a simple JSON data store.

Complexity is the enemy of security, and Ironclad is as uncomplicated as possible. A password database is a simple JSON file which you can view using the dump command:

$ ironclad dump

This file is encrypted using 256-bit AES, an industry-standard protocol supported on all platforms and across all programming languages.

By design, alternative native clients should be straightforward to implement and can take better advantage of the built-in security features offered by specific operating systems.

Ironclad is a work in progress and feedback is welcome.

Alternative Implementations


Ironclad is released under an MIT license.