diff --git a/pkgs/sane-scripts/default.nix b/pkgs/sane-scripts/default.nix
index 6aa01ed1..e3a052b3 100644
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -56,6 +56,7 @@ resholve.mkDerivation {
 
           # these are used internally; probably a better fix
           "sane-mount-servo"
+          "sane-private-lock"
           "sane-private-unlock"
         ];
       };
diff --git a/pkgs/sane-scripts/src/sane-private-do b/pkgs/sane-scripts/src/sane-private-do
new file mode 100755
index 00000000..04586d90
--- /dev/null
+++ b/pkgs/sane-scripts/src/sane-private-do
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# unlock the ~/private store, run some command, and then re-lock the store
+
+set -x
+
+external_cmd=$@
+
+sane-private-unlock
+$external_cmd
+exec sane-private-lock
diff --git a/pkgs/sane-scripts/src/sane-private-unlock b/pkgs/sane-scripts/src/sane-private-unlock
index fb518bd3..f63c1b89 100755
--- a/pkgs/sane-scripts/src/sane-private-unlock
+++ b/pkgs/sane-scripts/src/sane-private-unlock
@@ -2,8 +2,7 @@
 
 set -ex
 
-# configure persistent, encrypted storage that is auto-mounted on login.
-# this is a one-time setup and user should log out/back in after running it.
+# mounts ~/private
 
 mount=/home/colin/private
 cipher="/nix/persist$mount"