[rakoo]

Just don't use openssl's command line for encrypting anything, there are better tools for that.

My guess is that the fixed IV is used because the IV is needed for decrypting, which means either you prepend the ciphertext with it (which means you need to buffer the whole ciphertext in memory, defeating the streaming functionality of the service) or you already know it because it's hardcoded.

In any case there is no authentication of the encrypted payload, so you have no idea if what you received really is encrypted by the person that claims to be the sender or if it was modified somewhere in the middle.

[gruez]

>which means you need to buffer the whole ciphertext in memory, defeating the streaming functionality of the service

Can't you generate an IV, write it out to the stream, then encrypt/write the ciphertext?

[rakoo]

You could indeed, I didn't think of that. But it starts to beheavier and heavier, and the risk of making subtle mistakes increases. That's why it's better to use tools that do it properly, like age (https://github.com/FiloSottile/age)

[LeoPanthera]

You can specify an IV with -iv. If you don't, the IV is derived from the password.

[ta17711771]

Just don't use OpenSSL for anything - how many times does the community have to be burned by the same project before they switch?

[cjones26]

What's a good alternative?

[ta17711771]

libressl is the only one I'm aware of.