Project Home


Author: Martin Blais <>
Version: 766


Compare and merge contents of encrypted files relatively safely.

Table of Contents


Compare and merge contents of encrypted files relatively safely.

This script wraps around xxdiff, first decrypting the input files to temporary files (for a short time) and running xxdiff on these files. There are two typical uses of this program:

  1. it is used to compare two encrypted files. With the --merge option, a decision is required and an encrypted version of the merged file is output to the specified file and the merged file deleted promptly. Note that without the --merge option, even if the merged file is saved, it is deleted once xxdiff exits.
  2. it is used to split and resolve CVS conflicts in an armored encrypted file (see --unmerge option). The merged file is encrypted and output over the conflictual input file (i.e. it replaces it with the encrypted version of the merged file). This is very useful if you maintain armored encrypted files in CVS repositories because otherwise an encrypted file with a CVS conflict in it becomes useless.

Using gpg-agent

Usage of this program with password caching using gpg-agent makes it much easier to call on multiple files. The user's password given key is asked only once by gpg-agent, kept in memory, and then decryption occurs without user intervention.

Safety Notes

The encrypted files are decrypted to temporary files for a short amount of time, and are deleted when xxdiff appears. Note that their deletion is as safe as Python's tempfile module allows it to be (in the author's opinion, safe enough). I left comments in the code to allow a user to review where the files are decrypted so they can judge by themselves if it is safe enough for their use.

We could do much better in terms of safety if we could feed the input files to xxdiff through different file descriptors (not impossible to implement) AND calculate the diffs internally.

(Note that if someone can manipulate which program is used to actually perform the diffs (e.g. modifying an unsuspecting user's resources in ~/.xxdiffrc), they could feed the decrypted files to an arbitrary program.)


xxdiff-encrypted [<options>] <encrypted-file> [<encrypted file> ...]


-h, --help            show this help message and exit
-x XXDIFF, --xxdiff=XXDIFF
                      specify path to xxdiff program to use
-g GPG, --gpg=GPG     specify path to gpg program to use
-o OUTPUT, --output=OUTPUT
                      require and encrypt merged output.
-u, --unmerge         split CVS conflicts in single input file and encrypt
                      required output merged file over input
-A, --dont-armor      Create output file in binary format.
                      Encrypt for user id name.


Download program here.



Copyright (C) 2003-2004 Martin Blais <>. This code is distributed under the terms of the GNU General Public License.