diff --git a/bin/_blackbox_common.sh b/bin/_blackbox_common.sh
index c83af52..ccd5741 100755
--- a/bin/_blackbox_common.sh
+++ b/bin/_blackbox_common.sh
@@ -202,12 +202,16 @@ function shred_file() {
   if which shred >/dev/null ; then
     CMD=shred
     OPT=-u
+  elif which srm >/dev/null ; then
+    #NOTE: srm by default uses 35-pass Gutmann algorithm
+    CMD=srm
+    OPT=-f
   else
     CMD=rm
     OPT=-f
   fi
 
-  $CMD $OPT "$name"
+  $CMD $OPT -- "$name"
 }
 
 function md5sum_file() {
@@ -324,7 +328,7 @@ function vcs_remove() {
 }
 # Mercurial
 function vcs_remove_hg() {
-  hg rm -A """$@"""
+  hg rm -A -- """$@"""
 }
 # Git
 function vcs_remove_git() {
diff --git a/bin/blackbox_shred_all_files b/bin/blackbox_shred_all_files
new file mode 100755
index 0000000..15fdfc4
--- /dev/null
+++ b/bin/blackbox_shred_all_files
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+#
+# blackbox_shred_all_files -- shred all decrypted versions of encrypted files
+#
+
+set -e
+. _blackbox_common.sh
+
+echo '========== ENCRYPTED FILES THAT WERE UNLOCKED:'
+awk <"$BB_FILES" '{ print "    " $1 ".gpg" }'
+
+echo '========== FILES THAT WILL BE SHREDDED:'
+for i in $(<$BB_FILES) ; do
+  unencrypted_file=$(get_unencrypted_filename "$i")
+  encrypted_file=$(get_encrypted_filename "$i")
+  if [[ -f "$unencrypted_file" ]]; then
+    shred_file "$unencrypted_file"
+  fi
+done
+
+echo '========== DONE.'
diff --git a/bin/blackbox_update_all_files b/bin/blackbox_update_all_files
index 4e7644d..d611744 100755
--- a/bin/blackbox_update_all_files
+++ b/bin/blackbox_update_all_files
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 #
-# blackbox_edit_end.sh -- Re-encrypt file after edits.
+# blackbox_update_all_files -- Re-encrypt file after edits.
 #
 
 set -e