diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml
index 6720bf4e2ac3343d5611749f9d717e470875f6bd..ae6873aaade016e0610bf99eee131c05a6444b5f 100644
--- a/roles/backup_client/tasks/main.yml
+++ b/roles/backup_client/tasks/main.yml
@@ -1,5 +1,22 @@
 ---
 
+# Determine how to invoke the GnuPG binary based on Debian version.
+- set_fact: gnupg_binary="gpg2"
+  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'"
+- set_fact: gnupg_binary="gpg"
+  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
+
+# Determine cut-off for the GnuPG key ID (long vs short) based on Debian
+# version.
+- set_fact: gnupg_key_cutoff="{8}"
+  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'"
+- set_fact: gnupg_key_cutoff="{0}"
+  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
+
+- name: Install pexpect for pexpect+sftp Duplicity backend (only on Stretch)
+  apt: name="python-pexpect" state=installed
+  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
+
 - name: Install backup software
   apt: name="{{ item }}" state=installed
   with_items:
@@ -34,13 +51,13 @@
     - Import public keys
 
 - name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format)
-  shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{8}//'"
+  shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{{gnupg_key_cutoff}}//'"
   register: backup_encryption_key_id
   changed_when: False
   failed_when: backup_encryption_key_id.stdout == ""
 
 - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
-  shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{8}//' | tr '\n' ',' | sed -e 's/,$//'"
+  shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/public_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{{gnupg_key_cutoff}}//' | tr '\n' ',' | sed -e 's/,$//'"
   register: backup_additional_encryption_keys_ids
   when: backup_additional_encryption_keys
   changed_when: False