diff --git a/bin/blackbox_diff b/bin/blackbox_diff
new file mode 100755
index 0000000..350be01
--- /dev/null
+++ b/bin/blackbox_diff
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+#
+# blackbox_diff -- Show all differences.
+#
+
+set -e
+blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source "${blackbox_home}/_blackbox_common.sh"
+
+if [[ -z $GPG_AGENT_INFO ]]; then
+  echo 'WARNING: You probably want to run gpg-agent as'
+  echo 'you will be asked for your passphrase many times.'
+  echo 'Example: $ eval $(gpg-agent --daemon)'
+  read -r -p 'Press CTRL-C now to stop. ENTER to continue: '
+fi
+
+prepare_keychain
+
+OLDIFS=$IFS
+
+modified_files=()
+echo '========== DIFFING FILES: START'
+while IFS= read <&99 -r unencrypted_file; do
+  unencrypted_file=$(get_unencrypted_filename "$unencrypted_file")
+  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
+  fail_if_not_on_cryptlist "$unencrypted_file"
+  if [[ -f "$unencrypted_file" ]]; then
+    out=$(diff -u <(gpg --yes -q --decrypt "$encrypted_file") "$unencrypted_file" || true)
+    if [ "$out" != "" ]; then
+      echo ========== PROCESSING '"'$unencrypted_file'"'
+      echo "$out"
+      modified_files+=("$unencrypted_file")
+    fi
+  fi
+done 99<"$BB_FILES"
+echo '========== DIFFING FILES: DONE'
+
+fail_if_keychain_has_secrets
+
+IFS=$OLDIFS
+
+echo '========== DONE.'
+
+if [ ${#modified_files[@]} -eq 0 ] ; then
+  exit 0
+fi
+
+echo 'Likely next steps:'
+for f in "${modified_files[@]}" ; do
+  echo "    blackbox_edit_end" '"'$f'"'
+done