diff --git a/flake-parts/install-anywhere.nix b/flake-parts/install-anywhere.nix
index 9a3ad4d..c0f1570 100644
--- a/flake-parts/install-anywhere.nix
+++ b/flake-parts/install-anywhere.nix
@@ -37,10 +37,14 @@ _: {
           echo "$new_age_key" > "hosts/$host/keys/age.pub"
 
           echo "==> Updating SOPS secrets..."
-          BW_SESSION="$(bw unlock --raw || bw login --raw)"
-          export BW_SESSION
-          SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
-          export SOPS_AGE_KEY
+          if ! declare -px BW_SESSION >/dev/null 2>&1; then
+            BW_SESSION="$(bw unlock --raw || bw login --raw)"
+            export BW_SESSION
+          fi
+          if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then
+            SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
+            export SOPS_AGE_KEY
+          fi
           SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)"
           export SOPS_CONFIG
           sops updatekeys --yes "hosts/$host/secrets.json"
diff --git a/flake-parts/sops.nix b/flake-parts/sops.nix
index 52689b7..96474d4 100644
--- a/flake-parts/sops.nix
+++ b/flake-parts/sops.nix
@@ -49,11 +49,14 @@
 
         nativeBuildInputs = [ pkgs.bitwarden-cli ];
         shellHook = ''
-          if BW_SESSION="$(bw unlock --raw || bw login --raw)"; then
+          if ! declare -px BW_SESSION >/dev/null 2>&1; then
+            BW_SESSION="$(bw unlock --raw || bw login --raw)"
             export BW_SESSION
           fi
-          SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
-          export SOPS_AGE_KEY
+          if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then
+            SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
+            export SOPS_AGE_KEY
+          fi
           SOPS_CONFIG="${self'.packages.sops-config}"
           export SOPS_CONFIG
         '';