I've looked at 10 different tools like this, but this doesn't fall well enough into the definition i'm using of "standard tools," by which I mean something installable from apt/yum/ports on a wide variety of systems.

The closest I've found is using openssl's aes modes, but that requires the IV to be stored out-of-band somehow which is a do-able but a hassle I was hoping to avoid.