The Real Problem with Conventional AI Assistants
I was working on a project with strict security requirements — customer data, internal source code, system documentation. After using cloud-based AI assistants (ChatGPT, Copilot…) for a while, the security team started asking: “Where does the data you paste in there actually go?”
Nobody could answer with certainty. Even though providers promise not to use your data for training, traffic still passes through their servers. Logs still exist somewhere. For enterprise environments or projects handling sensitive data, this is a risk you simply can’t ignore.
IronClaw addresses exactly that. A CLI tool written in Rust, running entirely on your local machine — no telemetry, no outbound connections unless you deliberately configure them. Memory safety is a language property, not a promise.
Installing IronClaw
There are two ways to install: build from source via Cargo, or download a pre-built binary release. I usually go with the first approach to control the version and audit the code when needed.
Prerequisites: Installing the Rust Toolchain
Don’t have Rust installed yet? Install it via rustup — the official way, avoiding all the headaches with your distro’s package manager:
# Install rustup (Rust version manager)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Load environment for the current session
source $HOME/.cargo/env
# Check version
rustc --version
cargo --versionIronClaw requires Rust 1.70 or higher. Running an older version? One command fixes that:
rustup update stableInstalling IronClaw via Cargo
# Install from crates.io
cargo install ironclaw
# Or build from source if you want to audit the code
git clone https://github.com/ironclaw-ai/ironclaw.git
cd ironclaw
cargo build --release
# Copy binary to PATH
sudo cp target/release/ironclaw /usr/local/bin/The first build takes about 2-3 minutes to compile dependencies. Rust compiles slowly, but the resulting binary is lean and performs consistently — a worthwhile trade-off.
Installing from a Binary Release (Faster)
Don’t want to install the entire Rust toolchain? Download a pre-built binary directly:
# Linux x86_64
wget https://github.com/ironclaw-ai/ironclaw/releases/latest/download/ironclaw-linux-x86_64.tar.gz
tar -xzf ironclaw-linux-x86_64.tar.gz
sudo mv ironclaw /usr/local/bin/
sudo chmod +x /usr/local/bin/ironclaw
# Verify the binary — don't skip this step
sha256sum ironclaw # Compare with the SHA256SUMS file on the release pageDetailed Configuration
This section determines whether IronClaw is truly secure. The configuration file uses TOML format, stored at ~/.config/ironclaw/config.toml.
Initializing the Default Configuration
# Generate default configuration
ironclaw init
# Check the generated file
cat ~/.config/ironclaw/config.tomlConfiguring the AI Backend
IronClaw supports multiple backends: Ollama (local), LM Studio, or any OpenAI API-compatible endpoint. Want maximum security? Use Ollama — the model runs completely offline, and not a single byte leaves your machine:
# ~/.config/ironclaw/config.toml
[backend]
type = "ollama" # "ollama" | "openai-compatible" | "anthropic"
endpoint = "http://localhost:11434"
model = "llama3.2:3b" # Lightweight model for low-spec machines
# model = "qwen2.5-coder:7b" # Better model for coding tasks
[privacy]
no_telemetry = true # Completely disable telemetry
no_history_sync = true # Do not sync history to the cloud
encrypt_history = true # Encrypt local chat history
[security]
history_retention_days = 30 # Auto-delete history after 30 days
mask_secrets = true # Automatically mask API keys and passwords in output
sandbox_mode = false # Enable to restrict file system access
[ui]
theme = "dark"
syntax_highlight = true
stream_response = true # Stream response progressively instead of waiting for completionAdvanced Security Configuration
Running in a production environment or on a shared machine? Add pattern matching to automatically mask secrets:
[security]
# List of patterns to mask in output (regex)
secret_patterns = [
"sk-[a-zA-Z0-9]+", # OpenAI API key
"ghp_[a-zA-Z0-9]+", # GitHub token
"password\\s*=\\s*\\S+", # Password in config
"Bearer\\s+[\\w-]+", # Bearer token
]
[backend]
# If using an external API (accepting the trade-off)
type = "openai-compatible"
endpoint = "https://api.anthropic.com/v1" # Or an internal endpoint
api_key_env = "IRONCLAW_API_KEY" # Read from env var, do NOT hardcode
max_tokens = 4096
Important: never hardcode API keys in the config file. IronClaw reads them from an environment variable via api_key_env — always use this approach.
Integrating Ollama (Recommended for Maximum Security)
Don’t have Ollama yet? Install it and pull a model before proceeding:
# Install Ollama
curl -fsSL https://ollama.com/install.sh | sh
# Pull a suitable model
ollama pull llama3.2:3b # Fast and lightweight (~2GB)
ollama pull qwen2.5-coder:7b # Better for coding (~4.7GB)
ollama pull deepseek-r1:8b # Strong reasoning (~4.9GB)
# Check that Ollama is running
curl http://localhost:11434/api/tagsI’ve used this setup in production — Ollama with Qwen2.5-Coder running on an internal server, with IronClaw pointing to that endpoint. Latency is a few seconds depending on hardware specs, which is more than acceptable for daily workflow. The security team stopped complaining.
Verifying the Setup and Monitoring
Basic Post-Installation Testing
# Check version
ironclaw --version
# Test backend connection
ironclaw check
# Expected output:
# ✓ Config loaded: ~/.config/ironclaw/config.toml
# ✓ Backend reachable: ollama @ localhost:11434
# ✓ Model available: llama3.2:3b
# ✓ Privacy settings: telemetry=off, encryption=on
# Ask a test question
ironclaw ask "Briefly explain the Rust ownership model"
# Interactive mode (continuous chat)
ironclaw chat
# Ask about a specific file (context-aware)
ironclaw ask --file main.rs "Are there any issues with this file?"
# Pipe output from another command
git diff HEAD~1 | ironclaw ask "Summarize the changes in this diff"Checking Logs and the Audit Trail
# View activity logs
ironclaw logs --tail 50
# View history (encrypted, decrypted when displayed)
ironclaw history list
ironclaw history show --date 2026-03-06
# Manually clear history
ironclaw history clear --before 2026-01-01
# Verify no outbound connections (if using Ollama)
sudo ss -tlnp | grep ironclaw # Should show no external connectionsMonitoring with systemd (If Running Ollama as a Service)
# Check the Ollama service
systemctl status ollama
# View resource usage
top -p $(pgrep ollama)
# Monitor GPU if available
nvidia-smi -l 2 # Refresh every 2 seconds
# Check memory used by the loaded model
curl -s http://localhost:11434/api/ps | python3 -m json.toolReal-World Workflow
Once everything is set up, here’s the workflow I use every day:
# Review code before committing
git diff --staged | ironclaw ask "Review this code, find potential bugs and security issues"
# Explain error logs
cat /var/log/nginx/error.log | tail -20 | ironclaw ask "Explain this error and how to fix it"
# Generate documentation from code
ironclaw ask --file utils.py "Write docstrings for all functions in this file"
# Quick debugging
ironclaw ask "Why does Rust report: cannot borrow x as mutable because it is also borrowed as immutable"The biggest difference compared to ChatGPT or Copilot: pasting code that contains internal configs or sensitive business logic is no longer a concern. All processing happens locally. No requests leave your network.
Want to standardize this across your team? Deploy Ollama on an internal server and distribute an IronClaw config file pointing to that endpoint. All AI traffic stays within your internal network — easy to audit, easy to control, and IT security will be much happier.
