diff --git a/passed b/passed
new file mode 100644
index 0000000..ea9e121
--- /dev/null
+++ b/passed
@@ -0,0 +1,48 @@
+#!/usr/bin/env ruby
+
+abort("usage: #{$PROGRAM_NAME} <sed options>") if ARGV.empty?
+
+sed_command = ['sed', *ARGV]
+PASS_DIR = ENV['PASSWORD_STORE_DIR'] || "#{ENV['HOME']}/.password-store"
+
+def keys(dir)
+  key_file = "#{dir}/.gpg-id"
+  return unless File.exist?(key_file)
+  File.read(key_file).lines.map(&:chomp)
+end
+
+def each_entry_with_key(dir = PASS_DIR, keys = nil, &block)
+  keys = keys(dir) || keys
+  fail('no encryption keys found') unless keys
+  Dir[File.join(dir, '*.gpg')].each do |entry|
+    yield(entry, keys)
+  end
+
+  Dir[File.join(dir, '*/')].each do |subdir|
+    each_entry_with_key(subdir, keys, &block)
+  end
+end
+
+each_entry_with_key do |entry, keys|
+  new_content = nil
+  IO.popen(['gpg', '--batch', '-q', '-d', entry]) do |gpg|
+    IO.popen(sed_command, 'w+') do |sed|
+      sed.write gpg.read
+      sed.close_write
+      new_content = sed.read
+    end
+  end
+
+  puts entry
+  puts new_content
+  puts 'overwrite? (y/N)'
+  answer = STDIN.gets
+  next unless answer && answer.chomp =~ /^y/i
+
+  recipients = keys.map { |key| ['-r', key] }.flatten
+  File.delete(entry)
+  encrypt_cmd = ['gpg', '--batch', '-q', '-e', '-o', entry, *recipients]
+  IO.popen(encrypt_cmd, 'w+') do |gpg|
+    gpg.write(new_content)
+  end
+end