Prompted by the recent vulnerability in SHA-1 and admonitions to begin the process of moving away from that hash function, I'm playing around with GnuPG again. I was just wondering how other folks use the system. Use these questions as prompts, but I'd really like to hear about stuff I haven't even thought of.
What size keys are you using?
What sort of things do you have in your gpg.conf?
Do you have an expiration date on your keys?
Do you have a revocation certificate somewhere safe - perhaps with a trusted friend?
figuring out how to trust sign keys. if you don't gpg will always give you this annoying message "are you sure you want to use this untrusted key??"
do
And follow the instructions from there.
We have used it for a long time, and in that time it has been robust, easy to work with, and has worked well across platforms. We regularly encrypt stuff on Linux boxes and decrypt on Windows, and vice-versa. It's a well-vetted, well thought out piece of software that has included new encryption algorithms and standards as they've appeared and has done well for us for secure data storage and transfer over the years.
We use 2048-bit keys and expire them after 2 years. We use gpg.conf to specify encryption algorithms, and having seen the news about SHA-1 have just begun looking into shuffling these up as per http://www.debian-administration.org/users/dkg/weblog/48. We don't maintain a revocation elsewhere, but also don't really use it in a PKI fashion either.
I use 4096 bit keys, I see no reason to use anything different. Modern computers are easily powerful enough to decrypt something that high in seconds.
I use an encryption key, which never expires and a signing key which expires yearly.