diff --git a/src/commands/git_secret_hide.sh b/src/commands/git_secret_hide.sh
index 88120808..b62ccc28 100644
--- a/src/commands/git_secret_hide.sh
+++ b/src/commands/git_secret_hide.sh
@@ -1,5 +1,18 @@
 #!/usr/bin/env bash
 
+AWK_FSDB_UPDATE_HASH='
+BEGIN { FS=":"; OFS=":"; }
+{
+  if ( key == $1 )
+  {
+    print key,hash;
+  }
+  else
+  {
+    print $1,$2;
+  }
+}
+'
 
 function _optional_clean {
   local clean="$1"
@@ -26,7 +39,8 @@ function _optional_delete {
 
     while read -r line; do
       # So the formating would not be repeated several times here:
-      _find_and_clean "*$line" "$verbose"
+      local filename=$(_get_record_filename "$line")
+      _find_and_clean "*$filename" "$verbose"
     done < "$path_mappings"
 
     if [[ ! -z "$verbose" ]]; then
@@ -35,20 +49,49 @@ function _optional_delete {
   fi
 }
 
+function _get_checksum_local {
+  local checksum="$SECRETS_CHECKSUM_COMMAND"
+  echo "$checksum"
+}
+
+function _get_file_hash {
+  local input_path="$1" # Required
+  local checksum_local
+  local file_hash
+
+  checksum_local=$(_get_checksum_local)
+  file_hash=$($checksum_local $input_path | awk '{print $1}')
+
+  echo "$file_hash"
+}
+
+function _optional_fsdb_update_hash {
+  local key="$1"
+  local hash="$2"
+  local fsdb          # path_mappings
+
+  fsdb=$(_get_secrets_dir_paths_mapping)
+
+  gawk -i inplace -v key=$key -v hash=$hash "$AWK_FSDB_UPDATE_HASH" "$fsdb"
+}
+
 
 function hide {
   local clean=0
   local delete=0
+  local fsdb_update_hash=0 # add checksum hashes to fsdb
   local verbose=''
 
   OPTIND=1
 
-  while getopts 'cdvh' opt; do
+  while getopts 'cduvh' opt; do
     case "$opt" in
       c) clean=1;;
 
       d) delete=1;;
 
+      u) fsdb_update_hash=1;;
+
       v) verbose='v';;
 
       h) _show_manual_for 'hide';;
@@ -71,9 +114,13 @@ function hide {
   path_mappings=$(_get_secrets_dir_paths_mapping)
 
   local counter=0
-  while read -r line; do
+  while read -r record; do
+    local filename
+    local fsdb_file_hash
     local encrypted_filename
-    encrypted_filename=$(_get_encrypted_filename "$line")
+    filename=$(_get_record_filename "$record")
+    fsdb_file_hash=$(_get_record_hash "$record")
+    encrypted_filename=$(_get_encrypted_filename "$filename")
 
     local recipients
     recipients=$(_get_recepients)
@@ -83,13 +130,23 @@ function hide {
 
     local input_path
     local output_path
-    input_path=$(_append_root_path "$line")
+    input_path=$(_append_root_path "$filename")
     output_path=$(_append_root_path "$encrypted_filename")
 
-    # shellcheck disable=2086
-    $gpg_local --use-agent --yes --trust-model=always --encrypt \
-      $recipients -o "$output_path" "$input_path"
-
+    file_hash=$(_get_file_hash $input_path)
+
+    # encrypt file only if required
+    if [[ "$fsdb_file_hash" != "$file_hash" ]]; then
+      # shellcheck disable=2086
+      $gpg_local --use-agent --yes --trust-model=always --encrypt \
+        $recipients -o "$output_path" "$input_path"
+      # If -u option was provided, it will update unencrypted file hash
+      local key="$filename"
+      local hash="$file_hash"
+      # Update file hash if required in fsdb
+      [[ "$fsdb_update_hash" -gt 0 ]] && \
+        _optional_fsdb_update_hash "$key" "$hash"
+    fi
     counter=$((counter+1))
   done < "$path_mappings"