Ironclad is a command line utility for creating and managing encrypted password databases.
ironclad --help to view the application's command line help:
Usage: ironclad [FLAGS] [COMMAND] Ironclad is a command line password manager. Flags: -h, --help Print the application's help text. -v, --version Print the application's version number. Basic Commands: add Add a new entry to a database. delete Delete entries from a database. edit Edit an existing database entry. gen Generate a new random password. init Initialize a new password database. list List database entries. pass Copy a password to the clipboard. url Copy a url to the clipboard. user Copy a username to the clipboard. Additional Commands: cachepass Change a database's cache password. config Set or print a configuration option. decrypt Decrypt a file. dump Dump a database's JSON data store. encrypt Encrypt a file. export Export entries from a database. import Import entries into a database. purge Purge inactive entries from a database. masterpass Change a database's master password. tags List database tags. Aliases: new Alias for 'add'. show Alias for 'list --verbose'. Command Help: help <command> Print a command's help text.
ironclad help <command> to view the help text for a specific command.
The quickstart guide is a short tutorial for first-time users.
Ironclad is written in Go. If you have a Go compiler installed you can run:
$ go get github.com/dmulholl/ironclad/ironclad
This will download, compile, and install the latest version of the application
You can find the source files on Github.
Database files are encrypted using industry-standard cryptography.1
- Data is encrypted using 256-bit AES in CBC mode.
- Padding is performed using the PKCS #7 padding scheme.
- Authentication is performed using HMAC-SHA-256.
- Encryption keys are generated using 100,000 rounds of the PBKDF2 key derivation algorithm with an SHA-256 hash.
Encrypted files have no special markers and are indistinguishable from random data.
Note that the application itself is a cross-platform utility written in a high-level, garbage-collected language. It has not been hardened against system-local threats, e.g. malicious code running with user-level privileges on the user's system, or adversaries with physical access to the user's hardware.
The application doubles as a simple file encryption utility using the
decrypt commands. Files are encrypted using the same 256-bit AES protocol as password databases. Original files are unaffected by either encryption or decryption.
I built this cross-platform utility as a prototype implementation of Ironclad's core idea — an open-source password manager organized around a simple JSON data store.
Complexity is the enemy of security, so Ironclad is as uncomplicated as possible. A password database is a simple JSON file which you can view using the
$ ironclad dump
This file is encrypted using 256-bit AES, chosen as the most widely-supported secure encryption algorithm available, with implementations in every popular programming language.
Ironclad is released under an MIT license.
Ironclad deliberately uses boring crypto. I originally intended to use ChaCha20-Poly1305 which was shiny and new, but it wasn't available in the Go standard library at the time. I realised that being easy to reimplement in different languages and environments was one of my key design goals for Ironclad so I chose instead the most widely-supported protocols from the set of secure industry-standard algorithms.