diff --git a/src/crypto/index.js b/src/crypto/index.js
index 7dd771130..99250c1d2 100644
--- a/src/crypto/index.js
+++ b/src/crypto/index.js
@@ -338,6 +338,9 @@ Crypto.prototype.createRecoveryKeyFromPassphrase = async function(password) {
  * called to await a secret storage key creation flow.
  * @param {object} [opts.keyBackupInfo] The current key backup object. If passed,
  * the passphrase and recovery key from this backup will be used.
+ * @param {bool} [opts.setupNewKeyBackup] If true, a new key backup version will be
+ * created and the private key stored in the new SSSS store. Ignored if keyBackupInfo
+ * is supplied.
  * Returns:
  *     {Promise} A promise which resolves to key creation data for
  *     SecretStorage#addKey: an object with `passphrase` and/or `pubkey` fields.
@@ -346,6 +349,7 @@ Crypto.prototype.bootstrapSecretStorage = async function({
     authUploadDeviceSigningKeys,
     createSecretStorageKey = async () => { },
     keyBackupInfo,
+    setupNewKeyBackup,
 } = {}) {
     logger.log("Bootstrapping Secure Secret Storage");
 
@@ -469,6 +473,14 @@ Crypto.prototype.bootstrapSecretStorage = async function({
                 );
             }
         }
+
+        if (setupNewKeyBackup && !keyBackupInfo) {
+            const info = await this._baseApis.prepareKeyBackupVersion(
+                null /* random key */,
+                { secureSecretStorage: true },
+            );
+            await this._baseApis.createKeyBackupVersion(info);
+        }
     } finally {
         // Restore the original callbacks. NB. we must do this by manipulating
         // the same object since the CrossSigning class has a reference to the