I think there are two issues at play here: replacing the contents of the file accurately and safely, and overwriting the unencrypted data on disk. Several good suggestions here, but they don’t take into account latter concern, so here is my idea:
- Create a temp file next to the original file and write the encrypted data to it.
- Open the original file, set position to 0 and write nulls or gibberish in the exact length of the original content.
- Delete the original file.
- Rename the temp file to the original’s name.
Let me emphasize that this in no way guarantees that the original, unencrypted data will really be overwritten by the OS, and someone with a block-level viewer may still be able to find it. But I think this gives you the best chance.