diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml
index 358325c02228de51f5394d227c96f56e18718a68..ad9cd45a854acd20255e963bd992aa38c182d7f5 100644
--- a/roles/backup_client/tasks/main.yml
+++ b/roles/backup_client/tasks/main.yml
@@ -17,28 +17,8 @@
     - "/var/cache/duply"
     - "/var/cache/duply/main"
 
-- name: Extract private keys used for encryption and signing
-  local_action: "command gpg2 --homedir '{{ backup_gnupg_keyring }}' --armor --export-secret-keys {{ backup_encryption_key }} {{ backup_signing_key }}"
-  become: no
-  register: private_keys
-  changed_when: False
-
-- name: Extract public keys used for encryption only
-  local_action: "command gpg2 --homedir '{{ backup_gnupg_keyring }}' --armor --export {{ backup_additional_encryption_keys | join(' ') }}"
-  become: no
-  register: public_keys
-  changed_when: False
-  when: backup_additional_encryption_keys
-
-- name: Extract signing key ID (duplicity accepts 8-char hex code only)
-  local_action: shell gpg2 --homedir "{{ backup_gnupg_keyring }}" --with-colons --list-secret-keys "{{ backup_signing_key }}" | grep '^sec' | sort -n -k 6 -t ":"  | cut -f 5 -d ':' | grep -o '[A-F0-9]\{8\}$'
-  become: no
-  when: backup_signing_key is defined
-  register: signing_key_id
-  changed_when: False
-
 - name: Deploy GnuPG private keys
-  copy: content="{{ private_keys.stdout }}" dest="/etc/duply/main/private_keys.asc"
+  copy: content="{{ backup_encryption_key }}" dest="/etc/duply/main/private_keys.asc"
         owner=root group=root mode=600
   notify:
     - Clean-up GnuPG keyring for import of new keys
@@ -46,13 +26,24 @@
     - Import public keys
 
 - name: Deploy GnuPG public keys
-  copy: content="{{ public_keys.stdout | default("") }}" dest="/etc/duply/main/public_keys.asc"
+  copy: content="{{ backup_additional_encryption_keys | join('\n') }}" dest="/etc/duply/main/public_keys.asc"
         owner=root group=root mode=600
   notify:
     - Clean-up GnuPG keyring for import of new keys
     - Import private keys
     - Import public keys
 
+- name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format)
+  shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{8}//'"
+  register: backup_encryption_key_id
+  changed_when: False
+
+- name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
+  shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{8}//' | tr '\n' ',' | sed -e 's/,$//'"
+  register: backup_additional_encryption_keys_ids
+  when: backup_additional_encryption_keys
+  changed_when: False
+
 - name: Deploy private SSH key for logging-in into backup server
   copy: content="{{ backup_ssh_key }}" dest="/etc/duply/main/ssh/identity"
         owner="root" group="root" mode="600"