There are several options, but they all could leave you with a decrypted file on disk, waiting to be undeleted later. Shred might even have problems securely deleting a file (if there's a log/journal, redundant writes / RAID, temporary caches, compressed filesystems) and an SSD could swap sectors silently too. Even using a tmpfs filesystem is subject to being written out to swap. And the editing program you use could leave even more temporary/cache files. If your entire filesystem and swap is encrypted that helps a lot, but then do you really need more encryption?
If you're just saving basic text (like passwords) I'd suggest using a purpose-built program like KeePass(X/XC), LastPass, etc. Or a different encryption method, one that encrypts files like eCryptfs, EncFS, or that encrypts devices like LUKS, or a TrueCrypt successor.
But with just GPG, you could use one of these options
--passphrase-fd n
Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from STDIN. This can only be used if only one passphrase is supplied.
Note that this passphrase is only used if the option --batch has also been given. This is different from GnuPG version 1.x.
--passphrase-file file
Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file is of questionable security if other users can read this file. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from GnuPG version 1.x.
--passphrase string
Use string as the passphrase. This can only be used if only one passphrase is supplied. Obviously, this is of very questionable security on a multi-user system. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from GnuPG version 1.x.
For the above options, you'll probably need either --pinentry-mode loopback (allows entering new info, for example a new filename if there's a conflict) or --batch otherwise gpg will just ignore the passphrase options and still ask the agent for a passphrase (a bug IMO). This might be useful too:
--passphrase-repeat n
Specify how many times gpg will request a new passphrase be repeated. This is useful for helping memorize a passphrase. Defaults to 1 repetition.
You could only type the passphrase once and read / store it in a shell/bash variable (say $password), recalling it later with --passphrase="$password". Something like
until gpg --pinentry-mode loopback --passphrase="$password" --output $file_to_edit $ecrypted_file; do read -r password; done #Got out of the loop with a correct password, now echo "Some edit" >> $file_to_edit gpg --pinentry-mode loopback --passphrase="$password" --output $ecrypted_file --yes --symmetric $file_to_edit
(--yes to overwrite)
