A command line password manager.

Version 2.2.0


Ironclad is a command line utility for creating and managing encrypted password databases.


Run ironclad --help to view the command line help:

Usage: ironclad [command]

  A utility for creating and managing encrypted password

  -h, --help        Print the application's help text.
  -v, --version     Print the application's version number.

Basic Commands:
  add               Add a new entry to a database.
  edit              Edit an existing database entry.
  gen               Generate a new random password.
  init              Initialize a new password database.
  list              List database entries.
  pass              Copy a password to the clipboard.
  retire            Mark one or more entries as inactive.
  url               Copy a url to the clipboard.
  user              Copy a username to the clipboard.

Additional Commands:
  config            Set or print a configuration option.
  decrypt           Decrypt a file.
  dump              Dump a database's JSON data store.
  encrypt           Encrypt a file.
  export            Export entries from a database.
  import            Import entries into a database.
  purge             Purge inactive entries from a database.
  restore           Restore inactive entries to active status.
  setcachepass      Change a database's cache password.
  setmasterpass     Change a database's master password.
  tags              List database tags.

  new               Alias for 'add'.
  show              Alias for 'list --verbose'.

Command Help:
  help <command>    Print a command's help text.

Run ironclad help <command> to view the help text for a specific command.

The quickstart guide is a short tutorial for first-time users.

Source Code

Ironclad is written in Go. If you have a Go compiler installed you can run:

$ go get

This will download, compile, and install the latest version of the application to your $GOPATH/bin directory.

You can find the source files on Github.


Database files are encrypted using industry-standard cryptography.1

Encrypted files have no special markers and are indistinguishable from random data.

Note that the application itself is a cross-platform utility written in a high-level, garbage-collected language. It has not been hardened against system-local threats, e.g. malicious code running with user-level privileges on the user's system, or adversaries with physical access to the user's hardware.

File Encryption

The application doubles as a simple file encryption utility using the encrypt and decrypt commands. Files are encrypted using the same 256-bit AES protocol as password databases. Original files are unaffected by either encryption or decryption.


I built this cross-platform utility as a prototype implementation of Ironclad's core idea — an open-source password manager organized around a simple JSON data store. Complexity is the enemy of security, so Ironclad is as uncomplicated as possible. A password database is a simple text file which you can view using the dump command:

$ ironclad dump

This file is encrypted using 256-bit AES, chosen as the most widely-supported secure encryption algorithm available, with implementations in every popular programming language.


Ironclad is released under an MIT license.



Ironclad deliberately uses boring cryptography. I originally intended to use ChaCha20-Poly1305 but it wasn't available in the Go standard library at the time. I realised that being easy to reimplement in different languages and environments was one of my key design goals for Ironclad so I chose instead the most widely-supported protocols from the set of secure industry-standard algorithms.