General GnuPG tips

Solution 1:

figuring out how to trust sign keys. if you don't gpg will always give you this annoying message "are you sure you want to use this untrusted key??"

do

$ gpg --edit-key NAME
> tsign

And follow the instructions from there.

Solution 2:

I use 4096 bit keys, I see no reason to use anything different. Modern computers are easily powerful enough to decrypt something that high in seconds.

I use an encryption key, which never expires and a signing key which expires yearly.

Solution 3:

We have used it for a long time, and in that time it has been robust, easy to work with, and has worked well across platforms. We regularly encrypt stuff on Linux boxes and decrypt on Windows, and vice-versa. It's a well-vetted, well thought out piece of software that has included new encryption algorithms and standards as they've appeared and has done well for us for secure data storage and transfer over the years.

We use 2048-bit keys and expire them after 2 years. We use gpg.conf to specify encryption algorithms, and having seen the news about SHA-1 have just begun looking into shuffling these up as per http://www.debian-administration.org/users/dkg/weblog/48. We don't maintain a revocation elsewhere, but also don't really use it in a PKI fashion either.