diff --git a/bin/_blackbox_common.sh b/bin/_blackbox_common.sh
index e39663a..b2b9cb9 100755
--- a/bin/_blackbox_common.sh
+++ b/bin/_blackbox_common.sh
@@ -76,6 +76,10 @@ SECRING="${KEYRINGDIR}/secring.gpg"
 : "${DECRYPT_UMASK:=0022}" ;
 # : ${DECRYPT_UMASK:=o=} ;
 
+# $BB_FILES file format:
+# Filenames are listed one per line, relative to the base directory of the repo.
+# Each line is listed in "printf %q" format, which escapes special chars.
+
 # Checks if $1 is 0 bytes, and if $1/keyrings
 # is a directory
 function is_blackbox_repo() {
@@ -86,10 +90,18 @@ function is_blackbox_repo() {
   fi
 }
 
-# Return error if not on cryptlist.
+# is_on_cryptlist resturns an error if $1 not on cryptlist.
 function is_on_cryptlist() {
+  # $1: The filename.
   # Assumes $1 does NOT have the .gpg extension
-  file_contains_line "$BB_FILES" "$(vcs_relative_path "$1")"
+
+  # https://github.com/koalaman/shellcheck/wiki/SC2155
+  local name
+  name=$(vcs_relative_path "$1")
+  local encodedname
+  encodedname=$(printf "%q" "$name")
+
+  file_contains_line "$BB_FILES" "$encodedname"
 }
 
 # Exit with error if a file exists.
@@ -151,16 +163,33 @@ function get_pubring_path() {
   fi
 }
 
-# Output the unencrypted filename.
-function get_unencrypted_filename() {
-  echo "$(dirname "$1")/$(basename "$1" .gpg)" | sed -e 's#^\./##'
+# normalize_filename_arg takes a filename from the command line and
+# outputs the non-encrypted filename.
+function normalize_filename() {
+  # $1: the input from a user
+  # Use this if the user may have entered the encrypted or
+  # non-encrypted filename.
+  local name
+  name=$(vcs_relative_path "$1")
+  echo "$(dirname "$name")/$(basename "$name" .gpg)" | sed -e 's#^\./##'
 }
 
 # Output the encrypted filename.
-function get_encrypted_filename() {
-  echo "$(dirname "$1")/$(basename "$1" .gpg).gpg" | sed -e 's#^\./##'
+function get_gpg_filename() {
+  # $1: normalized file path
+  echo "$1".gpg
 }
 
+## Output the unencrypted filename.
+#function get_unencrypted_filename() {
+#  echo "$(dirname "$1")/$(basename "$1" .gpg)" | sed -e 's#^\./##'
+#}
+#
+## Output the encrypted filename.
+#function get_encrypted_filename() {
+#  echo "$(dirname "$1")/$(basename "$1" .gpg).gpg" | sed -e 's#^\./##'
+#}
+
 # Prepare keychain for use.
 function prepare_keychain() {
   echo '========== Importing keychain: START' >&2
@@ -168,37 +197,43 @@ function prepare_keychain() {
   echo '========== Importing keychain: DONE' >&2
 }
 
-# Add file to list of encrypted files.
+# add_filename_to_cryptlist adds $1 to the list of encrypted files.
 function add_filename_to_cryptlist() {
+  # $1: The filename.
   # If the name is already on the list, this is a no-op.
-  # However no matter what the datestamp is updated.
-  
+
   # https://github.com/koalaman/shellcheck/wiki/SC2155
   local name
   name=$(vcs_relative_path "$1")
+  local encodedname
+  encodedname=$(printf "%q" "$name")
 
-  if file_contains_line "$BB_FILES" "$name" ; then
+
+  if file_contains_line "$BB_FILES" "$encodedname" ; then
     echo "========== File is registered. No need to add to list."
   else
     echo "========== Adding file to list."
     touch "$BB_FILES"
-    sort -u -o "$BB_FILES" <(echo "$name") "$BB_FILES"
+    sort -u -o "$BB_FILES" <(printf "%q\n" "$name") "$BB_FILES"
   fi
 }
 
-# Removes a file from the list of encrypted files
+# remove_filename_from_cryptlist removes $1 from the list of encrypted files.
 function remove_filename_from_cryptlist() {
+  # $1: The filename.
   # If the name is not already on the list, this is a no-op.
 
   # https://github.com/koalaman/shellcheck/wiki/SC2155
   local name
   name=$(vcs_relative_path "$1")
+  local encodedname
+  encodedname=$(printf "%q" "$name")
 
-  if ! file_contains_line "$BB_FILES" "$name" ; then
+  if ! file_contains_line "$BB_FILES" "$encodedname" ; then
     echo "========== File is not registered. No need to remove from list."
   else
     echo "========== Removing file from list."
-    remove_line "$BB_FILES" "$name"
+    remove_line "$BB_FILES" "$encodedname"
   fi
 }
 
diff --git a/bin/_blackbox_common_test.sh b/bin/_blackbox_common_test.sh
index b0ed135..e3b0908 100755
--- a/bin/_blackbox_common_test.sh
+++ b/bin/_blackbox_common_test.sh
@@ -6,7 +6,7 @@
 
 set -e
 . "${0%/*}/_blackbox_common.sh"
-. tools/test_functions.sh
+. /Users/tlimoncelli/gitwork/blackbox/tools/test_functions.sh
 
 PHASE 'Test cp-permissions: TestA'
 touch TestA TestB TestC TestD
@@ -22,4 +22,18 @@ assert_file_perm '--wxr--rwx' TestC
 assert_file_perm '----rwx---' TestD  # TestD doesn't change.
 rm -f TestA TestB TestC TestD
 
+PHASE 'Test vcs_relative_path: TestA'
+export REPOBASE='/Users/tlimoncelli/Applications (Parallels)/{fd3049c8-9fdd-48d5-aa16-d31daf3a6879} Applications.localized'
+FILE='Microsoft  Windows Fax and Scan.app/Contents'
+result=$(vcs_relative_path Contents)
+echo result=XXX${result}XXX
+if [[ $FILE != $result ]] ; then
+  echo FAIL
+fi
+
+unencrypted_file=$(get_unencrypted_filename "${result}.gpg")
+echo un=XXX${unencrypted_file}XXX
+encrypted_file=$(get_encrypted_filename "${result}")
+echo en=XXX${encrypted_file}XXX
+
 echo '========== DONE.'
diff --git a/bin/blackbox_cat b/bin/blackbox_cat
index a6299a8..a7a0634 100755
--- a/bin/blackbox_cat
+++ b/bin/blackbox_cat
@@ -8,7 +8,7 @@ source "${0%/*}/_blackbox_common.sh"
 
 for param in "$@" ; do
   shreddable=0
-  unencrypted_file=$(get_unencrypted_filename "$param")
+  unencrypted_file=$(normalize_filename "$param")
   if [[ ! -e "$unencrypted_file" ]]; then
     "${BLACKBOX_HOME}/blackbox_edit_start" "$param"
     shreddable=1
diff --git a/bin/blackbox_diff b/bin/blackbox_diff
index f83355d..7133900 100755
--- a/bin/blackbox_diff
+++ b/bin/blackbox_diff
@@ -19,8 +19,10 @@ prepare_keychain
 modified_files=()
 modifications=()
 echo '========== DIFFING FILES: START'
-while IFS= read <&99 -r unencrypted_file; do
-  unencrypted_file=$(get_unencrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  unencrypted_file=$(get_unencrypted_filename "$name")
   encrypted_file=$(get_encrypted_filename "$unencrypted_file")
   fail_if_not_on_cryptlist "$unencrypted_file"
   if [[ -f "$unencrypted_file" ]]; then
diff --git a/bin/blackbox_list_files b/bin/blackbox_list_files
index 4b62158..30b86f7 100755
--- a/bin/blackbox_list_files
+++ b/bin/blackbox_list_files
@@ -5,4 +5,7 @@
 #
 set -e
 source "${0%/*}/_blackbox_common.sh"
-cat "$BB_FILES"
+
+while IFS= read <&99 -r encodedname; do
+  echo $encodedname
+done 99<"$BB_FILES"
diff --git a/bin/blackbox_postdeploy b/bin/blackbox_postdeploy
index 4d40d64..c53b9b9 100755
--- a/bin/blackbox_postdeploy
+++ b/bin/blackbox_postdeploy
@@ -27,8 +27,12 @@ prepare_keychain
 
 # Decrypt:
 echo '========== Decrypting new/changed files: START'
-while IFS= read <&99 -r unencrypted_file; do
-  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $name)
+
+  encrypted_file=$(get_encrypted_filename "$name")
+  unencrypted_file=$(get_unencrypted_filename "$name")
   decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
   cp_permissions "$encrypted_file" "$unencrypted_file"
   if [[ ! -z "$FILE_GROUP" ]]; then
diff --git a/bin/blackbox_shred_all_files b/bin/blackbox_shred_all_files
index 53e76de..05e5bd2 100755
--- a/bin/blackbox_shred_all_files
+++ b/bin/blackbox_shred_all_files
@@ -21,9 +21,11 @@ source "${0%/*}/_blackbox_common.sh"
 change_to_vcs_root
 
 echo '========== FILES BEING SHREDDED:'
-while IFS= read <&99 -r unencrypted_file; do
-  unencrypted_file=$(get_unencrypted_filename "$unencrypted_file")
-  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  unencrypted_file=$(get_unencrypted_filename "$name")
+  encrypted_file=$(get_encrypted_filename "$name")
   if [[ -f "$unencrypted_file" ]]; then
     echo "    $unencrypted_file"
     shred_file "$unencrypted_file"
diff --git a/bin/blackbox_update_all_files b/bin/blackbox_update_all_files
index 564f002..fc5eb90 100755
--- a/bin/blackbox_update_all_files
+++ b/bin/blackbox_update_all_files
@@ -18,15 +18,19 @@ disclose_admins
 prepare_keychain
 
 echo '========== ENCRYPTED FILES TO BE RE-ENCRYPTED:'
-while IFS= read <&99 -r unencrypted_file; do
-    echo "    $unencrypted_file.gpg"
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  echo "    $name.gpg"
 done 99<"$BB_FILES"
 
 echo '========== FILES IN THE WAY:'
 need_warning=false
-while IFS= read <&99 -r unencrypted_file; do
-  unencrypted_file=$(get_unencrypted_filename "$unencrypted_file")
-  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  unencrypted_file=$(get_unencrypted_filename "$name")
+  encrypted_file=$(get_encrypted_filename "$name")
   if [[ -f "$unencrypted_file" ]]; then
     need_warning=true
     echo "    $unencrypted_file"
@@ -41,9 +45,11 @@ else
 fi
 
 echo '========== RE-ENCRYPTING FILES:'
-while IFS= read <&99 -r unencrypted_file; do
-  unencrypted_file=$(get_unencrypted_filename "$unencrypted_file")
-  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  unencrypted_file=$(get_unencrypted_filename "$name")
+  encrypted_file=$(get_encrypted_filename "$name")
   echo ========== PROCESSING '"'$unencrypted_file'"'
   fail_if_not_on_cryptlist "$unencrypted_file"
   decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"