encrypt and decrypt files/streams with the openssl command line.

Q: How would you improve that without increasing the simplicity of the approach?

Q: Is a random 'salt' required here, or does the aes-256-cbc do it for me anyway?

I like the fact that your script is simple, and uses a ubiquitous library! But I do have a few suggestions:

1. You may be using an older version of openssl, but with modern versions, add the `-pbkdf2` option for much saner key derivation.

2. With modern versions of openssl, the `-salt` option is on by default, so you don't need to specify it explicitly (and you almost certainly want this option on, versus not using a salt or generating one yourself).

3. Since no AEAD modes are available with this tool, CTR mode (the `-aes-256-ctr` option) might be the best mode to use with AES (see https://security.stackexchange.com/questions/27776/block-cha...).

4. Alternatively, you might prefer to use ChaCha20 (the `-chacha20` option) over AES (see https://crypto.stackexchange.com/questions/34455/whats-the-a...).

So I would suggest this for the encryption command (instead of `openssl enc -aes-256-cbc -salt -a`):

> openssl enc -chacha20 -pbkdf2 -a

Also, instead of using openssl, you might prefer to use `age`, as it uses modern crypto best practices by default (see https://age-encryption.org/). With it, you could substitute this encryption command for the above:

> age -p -a

hey, thank you!

i am running :

$ openssl version LibreSSL 2.8.3

chacha20 is not available:

Valid ciphername values:

-aes-128-cbc -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-gcm -aes-128-ofb -aes-128-xts -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-gcm -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-gcm -aes-256-ofb -aes-256-xts -aes128 -aes192 -aes256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -chacha -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb -des-ofb -des3 -desx -desx-cbc -gost89 -gost89-cnt -gost89-ecb -id-aes128-GCM -id-aes192-GCM -id-aes256-GCM -rc2 -rc2-40-cbc -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -rc4-hmac-md5

Ah, in that case I think `-aes-256-gcm` is probably your best option (which isn't available with regular old OpenSSL).

got it, thank you!