diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index e0926a027..565f1cb00 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -130,7 +130,6 @@ in
         ".persist/private"
       ];
     };
-
     "sane-scripts.private-do".sandbox = {
       # because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
       # instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
@@ -145,6 +144,14 @@ in
       net = "all";
       extraPaths = [ "/" ];
     };
+    "sane-scripts.private-init".sandbox = {
+      method = "bwrap";
+      wrapperType = "wrappedDerivation";
+      capabilities = [ "sys_admin" ];  # it needs to mount the new store
+      extraHomePaths = [
+        ".persist/private"
+      ];
+    };
     "sane-scripts.private-lock".sandbox.enable = false;
     "sane-scripts.private-unlock".sandbox.enable = false;
 
diff --git a/pkgs/additional/sane-scripts/src/sane-private-init b/pkgs/additional/sane-scripts/src/sane-private-init
index a9e914b5a..78509639d 100755
--- a/pkgs/additional/sane-scripts/src/sane-private-init
+++ b/pkgs/additional/sane-scripts/src/sane-private-init
@@ -5,7 +5,13 @@ set -ex
 
 # configure persistent, encrypted storage that is auto-mounted on login.
 # this is a one-time setup and user should log out/back in after running it.
+p=/nix/persist/private
+
+if ! test -d "$p" || ! test -w "$p"; then
+  echo "you must first create the backing dir, with appropriate permissions:"
+  echo "- sudo mkdir $p"
+  echo "- sudo chown colin:users $p"
+  echo "then re-run this script"
+fi
 
-p=/nix/persist/home/colin/private
-mkdir -p $p
 gocryptfs -init $p