diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml
index 390d5387203e663a5b2086c4862bd957c659235d..358325c02228de51f5394d227c96f56e18718a68 100644
--- a/roles/backup_client/tasks/main.yml
+++ b/roles/backup_client/tasks/main.yml
@@ -17,20 +17,18 @@
     - "/var/cache/duply"
     - "/var/cache/duply/main"
 
-- name: Extract encryption keys
-  local_action: "command gpg2 --homedir '{{ backup_gnupg_keyring }}' --armor --export {{ backup_encryption_keys | join(' ') }}"
+- name: Extract private keys used for encryption and signing
+  local_action: "command gpg2 --homedir '{{ backup_gnupg_keyring }}' --armor --export-secret-keys {{ backup_encryption_key }} {{ backup_signing_key }}"
   become: no
-  register: encryption_keys
-  tags:
-    - debug
+  register: private_keys
   changed_when: False
 
-- name: Extract signing key
-  local_action: command gpg2 --homedir "{{ backup_gnupg_keyring }}" --armor --export-secret-key "{{ backup_signing_key }}"
+- name: Extract public keys used for encryption only
+  local_action: "command gpg2 --homedir '{{ backup_gnupg_keyring }}' --armor --export {{ backup_additional_encryption_keys | join(' ') }}"
   become: no
-  when: backup_signing_key is defined
-  register: signing_key
+  register: public_keys
   changed_when: False
+  when: backup_additional_encryption_keys
 
 - name: Extract signing key ID (duplicity accepts 8-char hex code only)
   local_action: shell gpg2 --homedir "{{ backup_gnupg_keyring }}" --with-colons --list-secret-keys "{{ backup_signing_key }}" | grep '^sec' | sort -n -k 6 -t ":"  | cut -f 5 -d ':' | grep -o '[A-F0-9]\{8\}$'
@@ -39,27 +37,21 @@
   register: signing_key_id
   changed_when: False
 
-- name: Deploy GnuPG public keys for encryption
-  copy: content="{{ encryption_keys.stdout }}" dest="/etc/duply/main/public_encryption_keys.asc"
+- name: Deploy GnuPG private keys
+  copy: content="{{ private_keys.stdout }}" dest="/etc/duply/main/private_keys.asc"
         owner=root group=root mode=600
-  register: new_enc_key
   notify:
-    - Import signing private keys
-    - Import encryption public keys
+    - Clean-up GnuPG keyring for import of new keys
+    - Import private keys
+    - Import public keys
 
-- name: Deploy GnuPG private keys for signing
-  copy: content="{{ signing_key.stdout }}" dest="/etc/duply/main/private_signing_key.asc"
+- name: Deploy GnuPG public keys
+  copy: content="{{ public_keys.stdout | default("") }}" dest="/etc/duply/main/public_keys.asc"
         owner=root group=root mode=600
-  no_log: True
-  when: backup_signing_key is defined
-  register: new_sign_key
   notify:
-    - Import signing private keys
-    - Import encryption public keys
-
-- name: Clean-up GnuPG keyring for import of new keys
-  shell: rm -f /etc/duply/main/gnupg/*
-  when: new_enc_key.changed or new_sign_key.changed
+    - Clean-up GnuPG keyring for import of new keys
+    - Import private keys
+    - Import public keys
 
 - name: Deploy private SSH key for logging-in into backup server
   copy: content="{{ backup_ssh_key }}" dest="/etc/duply/main/ssh/identity"