diff --git a/bin/taler-deployment-keyup b/bin/taler-deployment-keyup
index 76de9c3..45f99f8 100755
--- a/bin/taler-deployment-keyup
+++ b/bin/taler-deployment-keyup
@@ -15,6 +15,7 @@ if ! test -f $HOME/.config/taler.conf; then
   exit 1
 fi
 
+DEPLOYMENT_DATA=$(taler-config -s paths -o taler_deployment_data -f)
 DATESALT=$(date +%s%N)
 AUDITOR_REQUEST_DIR=$(taler-config -s exchangedb -o auditor_inputs -f)
 AUDITOR_BASE_DIR=$(taler-config -s exchangedb -o auditor_base_dir -f)
@@ -33,53 +34,52 @@ MERCHANT_TALER_PRIV=$(taler-config -s instance-Taler -o keyfile -f)
 MERCHANT_FSF_PRIV=$(taler-config -s instance-FSF -o keyfile -f)
 MERCHANT_GNUNET_PRIV=$(taler-config -s instance-GNUnet -o keyfile -f)
 
+
+# NOTE: all the steps below will only work IF /home/demo/taler-data/
+# allows already writes from the demo group.  And that it is not (yet?)
+# automated.
+chmod g+s $DEPLOYMENT_DATA/
+
 # Deploying merchant tip-reserve priv.
 if ! test -f $MERCHANT_TIP_RESERVE_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TIP_RESERVE_PRIV)
   cp $HOME/deployment/private-keys/default-tip.priv $MERCHANT_TIP_RESERVE_PRIV
-  chmod 440 $MERCHANT_TIP_RESERVE_PRIV
 fi
 
 # Deploying merchant default priv.
 if ! test -f $MERCHANT_DEFAULT_PRIV ; then
   mkdir -p $(dirname $MERCHANT_DEFAULT_PRIV)
   cp $HOME/deployment/private-keys/default.priv $MERCHANT_DEFAULT_PRIV
-  chmod 440 $MERCHANT_DEFAULT_PRIV
 fi
 
 # Deploying merchant tutorial priv.
 if ! test -f $MERCHANT_TUTORIAL_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TUTORIAL_PRIV)
   cp $HOME/deployment/private-keys/tutorial.priv $MERCHANT_TUTORIAL_PRIV
-  chmod 440 $MERCHANT_TUTORIAL_PRIV
 fi
 
 # Deploying merchant Tor priv.
 if ! test -f $MERCHANT_TOR_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TOR_PRIV)
   cp $HOME/deployment/private-keys/tor.priv $MERCHANT_TOR_PRIV
-  chmod 440 $MERCHANT_TOR_PRIV
 fi
 
 # Deploying merchant Taler priv.
 if ! test -f $MERCHANT_TALER_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TALER_PRIV)
   cp $HOME/deployment/private-keys/taler.priv $MERCHANT_TALER_PRIV
-  chmod 440 $MERCHANT_TALER_PRIV
 fi
 
 # Deploying merchant FSF priv.
 if ! test -f $MERCHANT_FSF_PRIV ; then
   mkdir -p $(dirname $MERCHANT_FSF_PRIV)
   cp $HOME/deployment/private-keys/fsf.priv $MERCHANT_FSF_PRIV
-  chmod 440 $MERCHANT_FSF_PRIV
 fi
 
 # Deploying merchant GNUnet priv.
 if ! test -f $MERCHANT_GNUNET_PRIV ; then
   mkdir -p $(dirname $MERCHANT_GNUNET_PRIV)
   cp $HOME/deployment/private-keys/gnunet.priv $MERCHANT_GNUNET_PRIV
-  chmod 440 $MERCHANT_GNUNET_PRIV
 fi
 
 
@@ -87,14 +87,12 @@ fi
 if ! test -f $EXCHANGE_PRIV ; then
   mkdir -p $(dirname $EXCHANGE_PRIV)
   cp $HOME/deployment/private-keys/${TALER_ENV_NAME}-exchange-master.priv $EXCHANGE_PRIV
-  chmod 440 $EXCHANGE_PRIV
 fi
 
 # Deploying Auditor's priv.
 if ! test -f $AUDITOR_PRIV; then
   mkdir -p $(dirname $AUDITOR_PRIV)
   cp $HOME/deployment/private-keys/auditor.priv $AUDITOR_PRIV
-  chmod 440 $AUDITOR_PRIV
 fi
 
 mkdir -p $AUDITOR_REQUEST_DIR
@@ -104,9 +102,6 @@ taler-exchange-keyup \
 
 # or-ing with true as user A won't be able to
 # change permissions for user B's files.
-chmod -R 440 $EXCHANGE_LIVE_KEYS/* || true
-
-chmod -R 440 $EXCHANGE_WIREFEES/* || true
 
 taler-auditor-exchange \
   -m $EXCHANGE_PUB \
@@ -129,3 +124,5 @@ if [[ -s $AUDITOR_REQUEST_DIR/auditor_request-${DATESALT} ]]; then
     -o "$AUDITOR_BASE_DIR/$DATESALT" \
     -c ${HOME}/.config/taler.conf
 fi
+
+chmod -R 660 $DEPLOYMENT_DATA/