diff --git a/docs/try.1.md b/docs/try.1.md
index d3ee1ed6..be17fe84 100644
--- a/docs/try.1.md
+++ b/docs/try.1.md
@@ -61,6 +61,10 @@ This option is recommended in case OverlayFS fails.
 
 : Specify a colon-separated list of directories to be used as lower directories for the overlay, formatted as "dir1:dir2:...:dirn" (implies -n).
 
+-E *PATHS*
+
+: Specify files to exclude from the sandbox, formatted as "file1:file2:...:filen".
+
 
 ## Subcommands
 
diff --git a/test/excl_files.sh b/test/excl_files.sh
new file mode 100755
index 00000000..d987d31c
--- /dev/null
+++ b/test/excl_files.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree 2>/dev/null || echo "${0%/*}")}"
+TRY="$TRY_TOP/try"
+
+cleanup() {
+    cd ..
+
+    if [ -d "$try_workspace" ]
+    then
+        rm -rf "$try_workspace" >/dev/null 2>&1
+    fi
+}
+
+trap 'cleanup' EXIT
+
+# try -E fails in /tmp on too many overlays
+try_workspace="$(mktemp -d -p .)"
+
+cd "$try_workspace" || exit 9
+
+echo secret > hidden1
+echo notsecret >  nonhidden2
+
+! "$TRY" -n -E hidden1 cat hidden1 | grep secret
diff --git a/try b/try
index 3f8e059d..5ff7054b 100755
--- a/try
+++ b/try
@@ -81,6 +81,22 @@ try() {
     findmnt --real -r -o target -n >>"$DIRS_AND_MOUNTS"
     sort -u -o "$DIRS_AND_MOUNTS" "$DIRS_AND_MOUNTS"
 
+    # Setup excluded entries
+    excldir="$SANDBOX_DIR/excldir"
+    if [ -n "$EXCL_ENTS" ]
+    then
+        OLDIFS=$IFS
+        IFS=":"
+        mkdir "$excldir"
+        for exclent in $EXCL_ENTS
+        do
+            whiteout_file="$SANDBOX_DIR/excldir/$(realpath "$exclent")"
+            mkdir -p "$(dirname "$whiteout_file")"
+            mknod "$whiteout_file" c 0 0
+        done
+        IFS=$OLDIFS
+    fi
+
     # Calculate UPDATED_DIRS_AND_MOUNTS that contains the merge arguments in LOWER_DIRS
     UPDATED_DIRS_AND_MOUNTS="$SANDBOX_DIR"/mounts.updated
     export UPDATED_DIRS_AND_MOUNTS
@@ -90,6 +106,11 @@ try() {
         OLDIFS=$IFS
         IFS=":"
 
+        if [ -d "$excldir/$mountpoint" ]
+        then
+            new_mountpoint="$excldir/$mountpoint"
+        fi
+
         for lower_dir in $LOWER_DIRS
         do
             temp_mountpoint="$lower_dir/upperdir$mountpoint"
@@ -627,7 +648,7 @@ NO_COMMIT="interactive"
 # We move it to $SANDBOX_DIR/ignore in `try()`, but delete it when we don't move it.
 IGNORE_FILE="$(mktemp --suffix ".try-$EXECID")"
 
-while getopts ":yvnhxi:D:U:L:" opt
+while getopts ":yvnhxi:D:U:L:E:" opt
 do
     case "$opt" in
         (y)   NO_COMMIT="commit";;
@@ -645,6 +666,11 @@ do
               fi
               LOWER_DIRS="$OPTARG"
               NO_COMMIT="quiet";;
+        (E)   if [ -n "$EXCL_ENTS" ]
+              then
+                  error "the -E option has been specified multiple times" 2
+              fi
+              EXCL_ENTS="$OPTARG";;
         (v)   echo "$TRY_COMMAND version $TRY_VERSION" >&2
               exit 0;;
         (U)   if ! [ -x "$OPTARG" ]