diff --git a/bootstrap-workstation.sh b/bootstrap-workstation.sh
index 3c160870..40b46331 100755
--- a/bootstrap-workstation.sh
+++ b/bootstrap-workstation.sh
@@ -280,6 +280,33 @@ function install_nix_darwin() {
 
 # install_nix_darwin_function ends here
 
+# [[file:workstation.org::initial_bitwarden_sync_function][initial_bitwarden_sync_function]]
+# The initial BitWarden Sync process. Requires wshs/bww executable to
+# be built and available. This could all be more robust
+# extracting it is theoretically useful as it provides a mechanism for
+# resetting the secrets.
+# Likely this should be broken down into separate functions that can be reused.
+function initial_bitwarden_sync() {
+    # why is bash so cryptic
+    if [ ! -z "${BW_CLIENTID+x}" ] && \
+       [ ! -z "${BW_CLIENTSECRET+x}" ] && \
+       [ ! -z "${WS_BW_MASTER_PASS+x}" ]; then
+        info variables requried to run bww force-sync are set, running
+        if [ ! -d ~/secrets ]; then
+            mkdir ~/secrets;
+        fi
+        # overwriting anything that was previously in the file
+        echo "${WS_BW_MASTER_PASS}" > ~/secrets/bw_pass
+        bw login --apikey
+        bw_unlock
+        bw sync
+        $(nix path-info .#"wshs:exe:bww")/bin/bww force-sync
+    else
+        info variables required to run bww force sync are MISSING, skipping
+    fi
+}
+
+# initial_bitwarden_sync_function ends here
 info starting workstation bootstrap
 is_mac && {
     info ensuring xcode is installed
@@ -421,23 +448,7 @@ else
 fi
 
 
-# why is bash so cryptic
-if [ ! -z "${BW_CLIENTID+x}" ] && \
-   [ ! -z "${BW_CLIENTSECRET+x}" ] && \
-   [ ! -z "${WS_BW_MASTER_PASS+x}" ]; then
-    info variables requried to run bww force-sync are set, running
-    if [ ! -d ~/secrets ]; then
-        mkdir ~/secrets;
-    fi
-    # overwriting anything that was previously in the file
-    echo "${WS_BW_MASTER_PASS}" > ~/secrets/bw_pass
-    bw login --apikey
-    bw_unlock
-    bw sync
-    $(nix path-info .#"wshs:exe:bww")/bin/bww force-sync
-else
-    info variables required to run bww force sync are MISSING, skipping
-fi
+initial_bitwarden_sync
 
 
 cat <<-EOF
diff --git a/lib/shell/setup/initial_bitwarden_sync.sh b/lib/shell/setup/initial_bitwarden_sync.sh
new file mode 100755
index 00000000..4562249e
--- /dev/null
+++ b/lib/shell/setup/initial_bitwarden_sync.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# [[file:../../../workstation.org::*Initial Bitwarden Sync][Initial Bitwarden Sync:2]]
+# The initial BitWarden Sync process. Requires wshs/bww executable to
+# be built and available. This could all be more robust
+# extracting it is theoretically useful as it provides a mechanism for
+# resetting the secrets.
+# Likely this should be broken down into separate functions that can be reused.
+function initial_bitwarden_sync() {
+    # why is bash so cryptic
+    if [ ! -z "${BW_CLIENTID+x}" ] && \
+       [ ! -z "${BW_CLIENTSECRET+x}" ] && \
+       [ ! -z "${WS_BW_MASTER_PASS+x}" ]; then
+        info variables requried to run bww force-sync are set, running
+        if [ ! -d ~/secrets ]; then
+            mkdir ~/secrets;
+        fi
+        # overwriting anything that was previously in the file
+        echo "${WS_BW_MASTER_PASS}" > ~/secrets/bw_pass
+        bw login --apikey
+        bw_unlock
+        bw sync
+        $(nix path-info .#"wshs:exe:bww")/bin/bww force-sync
+    else
+        info variables required to run bww force sync are MISSING, skipping
+    fi
+}
+
+initial_bitwarden_sync
+# Initial Bitwarden Sync:2 ends here
diff --git a/workstation.org b/workstation.org
index b7374168..7d478424 100644
--- a/workstation.org
+++ b/workstation.org
@@ -254,6 +254,7 @@ fi
 
 «install_nix_darwin_function»
 
+«initial_bitwarden_sync_function»
 #+end_src
 *** Log that bootstrap is starting
 #+begin_src shell
@@ -434,23 +435,7 @@ fi
 *** set up workstation secrets
 #+begin_src shell :noweb yes
 
-# why is bash so cryptic
-if [ ! -z "${BW_CLIENTID+x}" ] && \
-   [ ! -z "${BW_CLIENTSECRET+x}" ] && \
-   [ ! -z "${WS_BW_MASTER_PASS+x}" ]; then
-    info variables requried to run bww force-sync are set, running
-    if [ ! -d ~/secrets ]; then
-        mkdir ~/secrets;
-    fi
-    # overwriting anything that was previously in the file
-    echo "${WS_BW_MASTER_PASS}" > ~/secrets/bw_pass
-    bw login --apikey
-    bw_unlock
-    bw sync
-    $(nix path-info .#"wshs:exe:bww")/bin/bww force-sync
-else
-    info variables required to run bww force sync are MISSING, skipping
-fi
+initial_bitwarden_sync
 
 #+end_src
 *** output final manual setup notes
@@ -746,6 +731,45 @@ function install_home_manager() {
 install_home_manager
 
 #+end_src
+
+*** Initial Bitwarden Sync
+
+#+name: initial_bitwarden_sync_function
+#+begin_src shell
+# The initial BitWarden Sync process. Requires wshs/bww executable to
+# be built and available. This could all be more robust
+# extracting it is theoretically useful as it provides a mechanism for
+# resetting the secrets.
+# Likely this should be broken down into separate functions that can be reused.
+function initial_bitwarden_sync() {
+    # why is bash so cryptic
+    if [ ! -z "${BW_CLIENTID+x}" ] && \
+       [ ! -z "${BW_CLIENTSECRET+x}" ] && \
+       [ ! -z "${WS_BW_MASTER_PASS+x}" ]; then
+        info variables requried to run bww force-sync are set, running
+        if [ ! -d ~/secrets ]; then
+            mkdir ~/secrets;
+        fi
+        # overwriting anything that was previously in the file
+        echo "${WS_BW_MASTER_PASS}" > ~/secrets/bw_pass
+        bw login --apikey
+        bw_unlock
+        bw sync
+        $(nix path-info .#"wshs:exe:bww")/bin/bww force-sync
+    else
+        info variables required to run bww force sync are MISSING, skipping
+    fi
+}
+
+#+end_src
+
+#+begin_src sh :tangle ./lib/shell/setup/initial_bitwarden_sync.sh :shebang "#!/usr/bin/env bash" :noweb yes
+
+«initial_bitwarden_sync_function»
+initial_bitwarden_sync
+
+#+end_src
+
 * Nix components
 ** Home Manager
 I use home manager as the primary method for installing and configuring software