Ironclad is a simple command line utility for creating and managing encrypted password databases.
ironclad --help to view the application's command line help:
Usage: ironclad [FLAGS] [COMMAND] Ironclad is a command line password manager. Flags: -h, --help Print the help text and exit. -v, --version Print the version number and exit. Basic Commands: add Add a new entry to a database. delete Delete entries from a database. edit Edit an existing database entry. gen Generate a new random password. init Initialize a new password database. list List database entries. new Alias for 'add'. pass Copy a password to the clipboard. show Alias for 'list --verbose'. url Copy a url to the clipboard. user Copy a username to the clipboard. Additional Commands: config Set or print a configuration option. decrypt Decrypt a file. dump Dump a database's JSON data store. encrypt Encrypt a file. export Export entries from a database. import Import entries into a database. purge Purge inactive entries from a database. masterpass Change a database's master password. tags List database tags. Command Help: help <command> Print a command's help text.
ironclad help <command> to view the help text for a specific command.
The quickstart guide is a short tutorial for first-time users.
Ironclad is written in Go. If you have a Go compiler installed you can run:
$ go get github.com/dmulholl/ironclad/ironclad
This will download, compile, and install the latest version of the application
You can find the source files on Github.
Database files are encrypted using industry-standard cryptographic protocols.
- Data is encrypted using 256-bit AES in CBC mode.
- Padding is performed using the PKCS #7 padding scheme.
- Authentication is performed using HMAC-SHA-256.
- Encryption keys are generated using 10,000 rounds of the PBKDF2 key derivation algorithm with an SHA-256 hash.
Encrypted files have no special markers and are indistinguishable from random data.
Note that the application itself is a cross-platform utility written in a high-level, garbage-collected language. It has not been hardened against system-local threats, e.g. malicious code running with user-level privileges on the user's system, or adversaries with physical access to the user's hardware.
Ironclad caches the master password in memory for a default period of 15 minutes from its last use. You can set a custom timeout using the
$ ironclad config timeout <minutes>
Setting the timeout to
0 will disable caching altogether.
Ironclad doubles as a simple file encryption utility using the
decrypt commands. Files are encrypted using the same 256-bit AES protocol as password databases. Original files are unaffected by either encryption or decryption.
I built this cross-platform utility as a prototype implementation of Ironclad's core idea — an open-source password manager organised around a simple JSON data store.
Complexity is the enemy of security, so Ironclad is as uncomplicated as possible. A password database is a simple JSON file which you can view using the
$ ironclad dump
This file is encrypted using 256-bit AES, a widely supported, industry-standard protocol.
The Ironclad application itself is a cross-platform prototype. However, alternative native clients should be straightforward to implement and can take better advantage of the built-in security features offered by specific operating systems.
- Ryan Wynn's llave provides desktop and mobile interfaces for Ironclad databases.
Ironclad is released under an MIT license.