To send non-HTML email with Tbird, SHIFT + Write or Reply button.

Filename conventions
    *.gpg:  Binary ciphertext
    *.asc:  ASCII-armored text
            (Could be an ASCII-armored key/signature/cipher-text)
    *.sig:  Binary signature file

SIGNING
You "sign" outgoing email using your own pass phrase.

ENCRYPTING
You "encrypt" outgoing email with the recipient's public key.

Good key server: http://keyserver.ubuntu.com
[http://pgp.mit.edu/ used to be the standard]

Check any ciphertext:  gpg2 file.asc
Works great to report on keys and encrypted text.

Encrypt text to binary ciphertext:
    ?? doesn't seem to work: echo hello | gpg2 -e -r 'Blaine Simpson' /tmp/enc.1
    echo hello | gpg2 -e -r '<blaine.simpson@admc.com>' /tmp/enc.1
Encrypt text to ASCII-armored ciphertext:
    echo hello | gpg2 -a -e -r '<blaine.simpson@admc.com>' > /tmp/enc.1
Encrypt text file to ASCII-armored ciphertext:
    gpg2 -a -e -r '<blaine.simpson@admc.com>' file.txt  # writes file.txt.asc.  Don't need <>.
    gpg2 -a -e -r blaine.simpson@admc.com file.txt  # writes file.txt.asc
Decrypt binary or ASCII-armored ciphertext:
    gpg2 -d [-o cleartextfile.txt] /tmp/enc.1  # Writes to stdout


WINDOWS
Trying gpg4win v. 2.1.0beta
    Installing only components:  GnuPG + GPA  (GPA is a grapical front end)
    (The other components are specific to Outlook, Win Explorer, local mai[l)
When gpg2 run from non-Bash shell seems to use %APPDATA%/Roaming/gnupg as GNUPGHOME instead of ~/.gnupg
Defeat this by setting a user Win variable:
    GNUPGHOME=%HOMEDRIVE%%HOMEPATH%/.gnupg
(The %DRIVEHOME% and %HOMEPATH% don't expand for System variables).


Text convention below.
<KEY> identifies the desired key.
Supports at least 3 types:  'User Name', '<email@address.com>', 0x2516C4D3.
(The <...> enforces exact check on an email addr).
(The last is case-insensitive hex-char fingerprint or keyID).


Just from my experience, it seems that you assign trust only to your own private key, giving it ultimate trust (with "gpg2 --edit-key").
To use other peoples' keys, you import then sign their public keys with your private key by using.
    gpg2 --import theirpubkeyfile.asc
    gpg2 --sign-key <KEY|email@addr>  # requires your private key passphrase
    gpg2 --list-sigs <KEY|email@addr> # Check if list for target pub key shows your sign.

To move your private key to another PC.
    gpg2 --import yourprivatekey.asc
    gpg2 --edit-key <KEY>
    trust
    5  (ultimate)
    save

Change private key passphrase with:
    gpg2 --edit-key <KEY>
    passwd  # Will ask for old and new passphrases

Delete private key with:
    gpg2 --delete-key <KEY>

Export public key:  gpg2 --export -a -o pubkey.asc <KEY>
Export private key: gpg2 --export-secret-keys -a -o privkey.asc <KEY>
Import any kind of keys:  gpg2 --import file.asc
(I think that you only need to import your own private key, not public.
This is at least the case for normal recipient-key-based encryption).

---

SIGNING

To encrypt AND sign:
gpg2 -r <KEY> -a -s -e infile  # writes infile.asc
(The corresponding -d command will see the internal signature and automatically verify).
When both encryption and signing is needed, unless there is a need for a separate (detached) signature file, it is much more convenient to use an all-in one file (with or without ASCII-armoring), since both writing and reading can be done with single operations.

To just add a (short ASCII-armored) signature into the input tile (actually a copy of the input file):  (No encryption or compression)
gpg2 --clearsign input.txt  # Writes input.txt.asc

Separate (detached) Signature file WITH encrypted data.
WRITING:  Docs says (but gives no example) of doing encryption and detached sig in one operation, but in practice I find that it requires two separate commands.
    gpg2 -r <KEY> -a -e infile  # No -s or -b switch to sign.  writes infile.asc
                                # (without -a writes binary "infile.pgp")
    gpg2 -b -a infile.asc       # Writes infile.asc.asc
                                # (without -a writes binary "infile.asc.sig")
READING encryption + detached sig file:
    gpg --verify file.sig|sign.asc  # Equivalent to: gpv -d file.sig|sign.asc
    gpg -d ciphertext.pgp|ciphertext.asc  # To decrypt
"gpg2 -d... sign.asc|file.sig" WILL NOT DECRYPT, but is in fact equivalent to:
  "gpg2 --verify sign.asc|file.sig"

Checking signatures (without accompanying decryption):
GOTCHA:  For some reason, "gpg2 --verify encrypted_and_signed.asc" does not work.
  To verify signature on encrypted+signed input you really must "-d".


gpg2 --verify signature.asc|file.sig|comprehensive.pgp|comprehensive.asc
(When verifying with separate input signature files, you may specify both data and sign file names, but default convention is to specify the signature file and assume data file is named same without the .sig or .asc suffix).


MULTIPLE PRIVATE KEYS
http://ubuntuforums.org/showthread.php?t=1972338
Default key:  egrep ^default-key ~/.gnupg/gpg.conf
According to this forum, to really change "default", edit that file.
To "use" a specific private key, use the non-intuitive switch:  --default-key <KEY>


KEYPAIR GENERATION
Subkeys can be added later, but the primary key length and user ID/comment/email are permanent.
Format:  Full Name (A Comment) <email@addr.com>
RSA+RSA type seems to be best.
As of 2013, looks like size 4096 bit fully supported.

Useful display/list:  gpg2 --list-key[s] [names|shortkey|longkey|email@addr]
Short key is the LAST 8 chars of the long key.

Blane's active keyID  AB24C1EF.  Expires 2021-11-13
(FUCKED UP keyID 20D462D9)
(Blaine's old GPG key has keyID 2516C4D3.  Never expires.)
(EDB78AC4 is obsolete WITH LOST KEY!!!!)
ADMC GPG key has keyID .  Expires 2015-10-16.



Best practices
https://riseup.net/en/security/message-security/openpgp/best-practices
Use 4906 bit (or more) RSA with sha512 hashing algo.
Set a short expiration date <= 2 years.  Can extend it after expiration point.
Generate a revocation certificate and updating certs:
  http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
  N.b. must extend time of both primary (non-key) and key 1, for me.
Making an updated keypair (n.b. she did not expire it!):
  https://unix.stackexchange.com/questions/177291/how-to-renew-an-expired-keypair-with-gpg#177310
Revocation:  http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-key-revocation.html
SIMPLE UPDATE EXPIRY (incl. after old expiry date past),
    Just gpg --edit-key <ID>
    expire  (this will update key 0, which for me is usage "SC" key)
    key 1 (this will update key 1, which for me is usage "E" key)
    expire
    save
    gpg [--keyserver host.name] --send-key <ID>
      # defaults to what's in ~/.gnupg/gpg.conf

Display a public key (from your keyring):
gpg2 --export -a '<addr>'

Display/list expiration:
gpg2 --list-keys '<addr>'

See what a file was encrypted with:  gpg2 file/path

kleopatra is KDE's graphical gpg app

cacert.org appears to be best key server now.