IronDiff is engineered for security-conscious network teams. Unlike legacy tools that require centralized SSH access or store clear-text credentials in the cloud, IronDiff utilizes a distributed, zero-knowledge architecture.
1. The Local Docker Agent
At the heart of IronDiff is the Local Docker Agent. This lightweight container runs inside your protected network environment.
- Outbound-Only Connectivity: The agent initiates all communication. You never need to open inbound firewall rules or VPN tunnels for IronDiff to function. It pulls configurations locally and pushes encrypted, redacted data outbound to the IronDiff portal.
- Hardened Environment: Built as a minimal, security-hardened Docker container, the agent runs as a non-root user with a reduced attack surface, ensuring it complies with strict enterprise security policies.
- Minimal Footprint: The agent operates in an isolated environment with zero external dependencies, ensuring it doesn’t interfere with your existing infrastructure.
2. Secure Credential Storage
Your network device credentials (SSH usernames, passwords, and SNMP strings) are the keys to your kingdom. IronDiff ensures they stay in your hands.
- Local Encryption: Credentials are encrypted using AES-256-GCM encryption which is quantum resistant and stored exclusively on your local Docker container.
- Never Uploaded: Clear-text passwords never leave your network. They are never sent to IronDiff’s servers, and they are never stored in our database. Even in the event of a cloud security breach, your core infrastructure remains protected.
3. The Intelligent Redaction Engine
Before any configuration data is uploaded for diffing, it passes through our vendor-aware Redaction Engine. This process happens entirely in the memory of your local container.
- Automatic Scrubbing: The engine identifies and removes sensitive strings such as:
enable secretandpasswordstrings (Cisco, Aruba, etc.)- SNMP community strings
- Private keys and certificates
- User account hashes
- Visible Diffing: The resulting “Redacted Config” is what you see in the IronDiff Portal. This allows your team to track architectural changes and drift without exposing sensitive security data to the web UI.
- Compliance Ready: By scrubbing secrets before they ever leave your network, IronDiff helps you meet SOC2, PCI, and HIPAA requirements by ensuring clear-text passwords are never stored in cloud logs or third-party databases.
4. Zero-Knowledge Raw Backups
While the Portal shows you redacted diffs, you still need full, unredacted configurations for disaster recovery. IronDiff handles this through a Zero-Knowledge architecture.
- Master Encryption Key: During setup, you generate a Master Encryption Key. IronDiff does not have a copy of this key.
- Client-Side Encryption: The local agent uses AES-256-GCM quantum-resistant encryption to encrypt the full, raw configuration before upload.
- Mathematically Unrecoverable: Because we do not hold your key, IronDiff employees and systems are mathematically incapable of decrypting your raw backup files.
- Local Decryption Only: Decryption can only be performed by your local Docker container (or via our offline decryption utility) using the key that only you possess.
5. Summary of Data Flow
- Poll: The Local Agent connects to your switches/firewalls via SSH.
- Redact: Sensitive data is stripped in memory to create a Portal Version.
- Encrypt: The raw config is encrypted with your Master Key to create a Restore Version.
- Push: Both versions are pushed over TLS to the IronDiff cloud.
- Review: Your team reviews clean diffs in the IronDiff Portal or directly within your Hudu Documentation stack—enabling a “Documentation-as-Code” workflow where your network assets stay up-to-date automatically.