diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index 2b5895ff6..a14c166e4 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -25,7 +25,6 @@ in
       "sane-scripts.deadlines"
       "sane-scripts.find-dotfiles"
       "sane-scripts.ip-check"
-      "sane-scripts.private-change-passwd"
       "sane-scripts.private-do"
       "sane-scripts.private-init"
       "sane-scripts.private-lock"
@@ -119,14 +118,6 @@ in
 
     "sane-scripts.ip-port-forward" = {};
 
-    "sane-scripts.private-change-passwd".sandbox = {
-      method = "bwrap";
-      autodetectCliPaths = "existing";  #< for the new `private` location
-      capabilities = [ "sys_admin" ];  # it needs to mount the new store
-      extraHomePaths = [
-        ".persist/private"
-      ];
-    };
     "sane-scripts.private-do".sandbox = {
       # because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
       # instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
diff --git a/pkgs/additional/sane-scripts/default.nix b/pkgs/additional/sane-scripts/default.nix
index 8d8afadbc..fedf943aa 100644
--- a/pkgs/additional/sane-scripts/default.nix
+++ b/pkgs/additional/sane-scripts/default.nix
@@ -118,11 +118,6 @@ let
       srcRoot = ./src;
       pkgs = [ "inetutils" "miniupnpc" "sane-scripts.lib.ssdp"];
     };
-    private-change-passwd = static-nix-shell.mkBash {
-      pname = "sane-private-change-passwd";
-      srcRoot = ./src;
-      pkgs = [ "gocryptfs" "rsync" ];
-    };
     private-do = static-nix-shell.mkBash {
       pname = "sane-private-do";
       srcRoot = ./src;
diff --git a/pkgs/additional/sane-scripts/src/sane-private-change-passwd b/pkgs/additional/sane-scripts/src/sane-private-change-passwd
deleted file mode 100755
index 045c78763..000000000
--- a/pkgs/additional/sane-scripts/src/sane-private-change-passwd
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p bash -p gocryptfs -p rsync
-
-# HOW TO USE
-# ```sh
-# $ sudo mkdir /nix/persist/private.new && sudo chown colin:users /nix/persist/private.new
-# $ sane-private-change-passwd /nix/persist/private.new
-# this should prompt you to enter a password for the new directory.
-# now all data in the original /mnt/persist/private has been re-encrypted, into /nix/persist/private.new/cipher
-# if the data on-disk looks reasonable, continue:
-# $ sudo mv /nix/persist/private /nix/persist/private.old
-# $ sudo mv /nix/persist/private.new/cipher /nix/persist/private
-# $ sudo rmdir /nix/persist/private.new
-# ```
-
-set -ex
-
-new_cipher="$1/cipher"
-new_plain="$1/plain"
-old_plain=/mnt/persist/private
-old_cipher=/nix/persist/private
-
-mkdir -p "$new_cipher"
-mkdir -p "$new_plain"
-
-# initialize the new store
-gocryptfs -init "$new_cipher"
-
-# mount the new store. assume the old store is mounted.
-# if old store ISN'T mounted, then run this entire script inside `sane-private-do`
-gocryptfs "$new_cipher" "$new_plain"
-
-# transfer to the new store
-rsync -arv "$old_plain/" "$new_plain/"
-
-echo "now spot-check the data on-disk at $new_cipher"
-echo "if it looks good, then:"
-echo "  - sudo mv $old_cipher $old_cipher.old"
-echo "  - sudo mv $new_cipher $old_cipher"
-echo "  - sudo rmdir $new_plain && sudo rmdir $new_plain/.."