diff --git a/satellite/orders/encryptionkey.go b/satellite/orders/encryptionkey.go
index c6fbee8f2..021b08850 100644
--- a/satellite/orders/encryptionkey.go
+++ b/satellite/orders/encryptionkey.go
@@ -33,6 +33,17 @@ type EncryptionKeys struct {
 	KeyByID map[EncryptionKeyID]storj.Key
 }
 
+// NewEncryptionKeys creates a new EncrytpionKeys object with the provided keys.
+func NewEncryptionKeys(keys ...EncryptionKey) (*EncryptionKeys, error) {
+	var ekeys EncryptionKeys
+	for _, key := range keys {
+		if err := ekeys.Add(key); err != nil {
+			return nil, err
+		}
+	}
+	return &ekeys, nil
+}
+
 // EncryptionKey contains an identifier and an encryption key that is used to
 // encrypt transient metadata in orders.
 //
@@ -137,9 +148,6 @@ func (EncryptionKeys) Type() string { return "orders.EncryptionKeys" }
 
 // Set adds the values from a comma delimited hex encoded strings "hex(id1)=hex(key1),hex(id2)=hex(key2)".
 func (keys *EncryptionKeys) Set(s string) error {
-	if keys.KeyByID == nil {
-		keys.KeyByID = map[EncryptionKeyID]storj.Key{}
-	}
 	if s == "" {
 		return nil
 	}
@@ -150,25 +158,36 @@ func (keys *EncryptionKeys) Set(s string) error {
 		if err := ekey.Set(x); err != nil {
 			return ErrEncryptionKey.New("invalid keys %q: %v", s, err)
 		}
-		if ekey.IsZero() {
-			continue
+		if err := keys.Add(ekey); err != nil {
+			return err
 		}
-
-		if keys.Default.IsZero() {
-			keys.Default = ekey
-		}
-
-		if _, exists := keys.KeyByID[ekey.ID]; exists {
-			return ErrEncryptionKey.New("duplicate key identifier %q", s)
-		}
-
-		keys.List = append(keys.List, ekey)
-		keys.KeyByID[ekey.ID] = ekey.Key
 	}
 
 	return nil
 }
 
+// Add adds an encryption key to EncryptionsKeys object.
+func (keys *EncryptionKeys) Add(ekey EncryptionKey) error {
+	if keys.KeyByID == nil {
+		keys.KeyByID = map[EncryptionKeyID]storj.Key{}
+	}
+	if ekey.IsZero() {
+		return ErrEncryptionKey.New("key is zero")
+	}
+
+	if keys.Default.IsZero() {
+		keys.Default = ekey
+	}
+
+	if _, exists := keys.KeyByID[ekey.ID]; exists {
+		return ErrEncryptionKey.New("duplicate key identifier %q", ekey)
+	}
+
+	keys.List = append(keys.List, ekey)
+	keys.KeyByID[ekey.ID] = ekey.Key
+	return nil
+}
+
 // String is required for pflag.Value.
 func (keys *EncryptionKeys) String() string {
 	var s strings.Builder
diff --git a/satellite/orders/encryptionkey_test.go b/satellite/orders/encryptionkey_test.go
index 12e931176..94a47f7aa 100644
--- a/satellite/orders/encryptionkey_test.go
+++ b/satellite/orders/encryptionkey_test.go
@@ -15,6 +15,18 @@ import (
 	"storj.io/storj/satellite/orders"
 )
 
+func TestEncryptionKeys_New(t *testing.T) {
+	var key1, key2 orders.EncryptionKey
+	require.NoError(t, key1.Set(`11223344556677FF=11223344556677881122334455667788112233445566778811223344556677FF`))
+	require.NoError(t, key2.Set(`0100000000000000=0100000000000000000000000000000000000000000000000000000000000000`))
+	ekeys, err := orders.NewEncryptionKeys(key1, key2)
+	require.NoError(t, err)
+	require.Equal(t, ekeys.Default.Key, key1.Key)
+	require.Equal(t, ekeys.Default.ID, key1.ID)
+	const keyCount = 2
+	require.Equal(t, len(ekeys.KeyByID), keyCount)
+	require.Equal(t, len(ekeys.List), keyCount)
+}
 func TestEncryptionKey_Set_Valid(t *testing.T) {
 	type Test struct {
 		Hex string
diff --git a/satellite/orders/signer.go b/satellite/orders/signer.go
index 2539f82ed..c953f8af6 100644
--- a/satellite/orders/signer.go
+++ b/satellite/orders/signer.go
@@ -151,14 +151,17 @@ func (signer *Signer) Sign(ctx context.Context, node storj.NodeURL, pieceNum int
 			return nil, ErrSigner.Wrap(err)
 		}
 
-		metadata, err := pb.Marshal(&pb.OrderLimitMetadata{
-			BucketId: bucketID[:],
-		})
+		encrypted, err := encryptionKey.EncryptMetadata(
+			signer.Serial,
+			&pb.OrderLimitMetadata{
+				BucketId: bucketID[:],
+			},
+		)
 		if err != nil {
 			return nil, ErrSigner.Wrap(err)
 		}
 		signer.EncryptedMetadataKeyID = encryptionKey.ID[:]
-		signer.EncryptedMetadata = encryptionKey.Encrypt(metadata, signer.Serial)
+		signer.EncryptedMetadata = encrypted
 	}
 
 	limit := &pb.OrderLimit{
diff --git a/satellite/orders/signer_test.go b/satellite/orders/signer_test.go
index 0fc4b9008..cae095479 100644
--- a/satellite/orders/signer_test.go
+++ b/satellite/orders/signer_test.go
@@ -21,10 +21,11 @@ import (
 )
 
 func TestSigner_EncryptedMetadata(t *testing.T) {
-	encryptionKey := orders.EncryptionKey{
+	ekeys, err := orders.NewEncryptionKeys(orders.EncryptionKey{
 		ID:  orders.EncryptionKeyID{1},
 		Key: storj.Key{1},
-	}
+	})
+	require.NoError(t, err)
 
 	testplanet.Run(t, testplanet.Config{
 		SatelliteCount: 1, StorageNodeCount: 1, UplinkCount: 1,
@@ -33,7 +34,7 @@ func TestSigner_EncryptedMetadata(t *testing.T) {
 				testplanet.ReconfigureRS(1, 1, 1, 1)(log, index, config)
 
 				config.Orders.IncludeEncryptedMetadata = true
-				config.Orders.EncryptionKeys.Default = encryptionKey
+				config.Orders.EncryptionKeys = *ekeys
 			},
 		},
 	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
@@ -65,9 +66,9 @@ func TestSigner_EncryptedMetadata(t *testing.T) {
 		require.NotEmpty(t, addressedLimit.Limit.EncryptedMetadata)
 		require.NotEmpty(t, addressedLimit.Limit.EncryptedMetadataKeyId)
 
-		require.Equal(t, encryptionKey.ID[:], addressedLimit.Limit.EncryptedMetadataKeyId)
+		require.Equal(t, ekeys.Default.ID[:], addressedLimit.Limit.EncryptedMetadataKeyId)
 
-		metadata, err := encryptionKey.DecryptMetadata(addressedLimit.Limit.SerialNumber, addressedLimit.Limit.EncryptedMetadata)
+		metadata, err := ekeys.Default.DecryptMetadata(addressedLimit.Limit.SerialNumber, addressedLimit.Limit.EncryptedMetadata)
 		require.NoError(t, err)
 
 		bucketID, err := satellite.DB.Buckets().GetBucketID(ctx, bucketLocation)
@@ -78,10 +79,11 @@ func TestSigner_EncryptedMetadata(t *testing.T) {
 }
 
 func TestSigner_EncryptedMetadata_UploadDownload(t *testing.T) {
-	encryptionKey := orders.EncryptionKey{
+	ekeys, err := orders.NewEncryptionKeys(orders.EncryptionKey{
 		ID:  orders.EncryptionKeyID{1},
 		Key: storj.Key{1},
-	}
+	})
+	require.NoError(t, err)
 
 	testplanet.Run(t, testplanet.Config{
 		SatelliteCount: 1, StorageNodeCount: 1, UplinkCount: 1,
@@ -90,7 +92,7 @@ func TestSigner_EncryptedMetadata_UploadDownload(t *testing.T) {
 				testplanet.ReconfigureRS(1, 1, 1, 1)(log, index, config)
 
 				config.Orders.IncludeEncryptedMetadata = true
-				config.Orders.EncryptionKeys.Default = encryptionKey
+				config.Orders.EncryptionKeys = *ekeys
 			},
 		},
 	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {