diff --git a/src/python/jw/pkg/cmds/secrets/lib/DistroContext.py b/src/python/jw/pkg/cmds/secrets/lib/DistroContext.py
index 7628fbb1..93985bc3 100644
--- a/src/python/jw/pkg/cmds/secrets/lib/DistroContext.py
+++ b/src/python/jw/pkg/cmds/secrets/lib/DistroContext.py
@@ -14,6 +14,8 @@ if TYPE_CHECKING:
 
 from ....lib.log import *
 from ....lib.util import run_cmd
+from ....lib.TarIo import TarIo
+from ....lib.ProcFilterGpg import ProcFilterGpg
 
 from .base import Attrs
 from .FilesContext import FilesContext
@@ -72,3 +74,21 @@ class DistroContext(FilesContext):
                 missing += 1
         if missing > 0:
             log(WARNING, f'{missing} missing secrets found. You might want to add them and run sudo {app.cmdline} again')
+
+    async def install(self, src_uri: str, pkg_names: Iterable[str], only_missing: bool=False) -> None:
+        if only_missing:
+            raise NotImplementedError('--only-missing is not yet implemented')
+        secret_paths = await self.list_secret_paths(pkg_names)
+        ec = self.ctx
+        from ....lib.ec.Local import Local
+        from ....lib.FileContext import FileContext
+        if not isinstance(ec, Local):
+            ec = Local() # Security: Use a local exec context for decrypting and filtering secrets
+        async with TarIo.create(src=src_uri, dst=self.ctx) as tio:
+            tio.src.add_proc_filter(FileContext.Direction.In, ProcFilterGpg(ec=ec))
+            extracted_paths = await tio.extract(path_filter=secret_paths)
+            for path in secret_paths:
+                if not path in extracted_paths:
+                    log(NOTICE, f'not extracted: {path}')
+                else:
+                    log(NOTICE, f'extracted:     {path}')