tl;dr

# list keys
gpg --list-keys

# note: Not all keys have secret keys.
gpg --list-secret-keys
# Also include subkey id's
gpg --list-secret-keys --keyid-format=long

# Export public key
gpg --export -a 2A178067F1FB5947E7B3970A47A19758A61716AF > my_public_key.asc

# Export private key
gpg --export-secret-keys -a 2A178067F1FB5947E7B3970A47A19758A61716AF > my_private_key.asc

# Import the public key from file
gpg --import my_public_key.asc

# Import the private key from file
gpg --import my_private_key.asc

# Signing of messages
echo "Your message here" | gpg --clearsign
# or
gpg --clearsign filename.txt

# Validating a signed message
gpg --verify signed_message.asc
# note: Public key must be imported for this to work.

# Encrypt a file using the recipient's public key
gpg --encrypt --recipient [email protected] --output encrypted_file.gpg input_file.txt
gpg --decrypt --output decrypted_file.txt encrypted_file.gpg

# Encrypt a file symmetricaly (eg. has nothing to do with keys)
gpg --symmetric --cipher-algo AES256 input_file.txt
gpg --decrypt input_file.txt.gpg

# Change password of key
gpg --edit-key <your-key-id>
# note a empty password removes the password from the key.
passwd
save
# Note: passwords are set on the entire pgp key, not subkeys.
# To select a different key use the -u <keyid> option.

# Sign someone's key after import
gpg --sign-key <key-id>

# List signatures on a key
gpg --list-sig <key-id>

# set trust level for a key
gpg --edit <key-id>
trust
...

# publish a key 
gpg --send-key <key-id> # default server keys.openpgp.com seems broken at time
                        # of writing.
# or to a specific server
gpg --keyserver keyserver.ubuntu.com --send-key <key-id> 

# search for a key on key server
gpg --keyserver keyserver.ubuntu.com --search-key <key-id>/<email>/<name> 

Conceptual

+-------------------+
|  Primary Key      |
|                   |
|  - Subkey (E)     |  (Encryption)
|  - Subkey (S)     |  (Signing)
|  - Subkey (A)     |  (Authentication)
|                   |
+-------------------+

Keyring

The GPG keyring is a repository or database that GPG (GNU Privacy Guard)
uses to store cryptographic keys. The keyring contains both your own
keys and the public keys of others that you've imported. There are two
main types of keyrings:

    Public Keyring:
        This part of the keyring contains the public keys of other users
        that you've imported. These keys are used for verifying signatures
        and encrypting messages that you want to send to others.

    Secret Keyring:
        This part of the keyring contains your own private keys. Each
        private key corresponds to a public key and is used for operations
        like signing messages and decrypting messages that are encrypted
        with your public key.

When you generate a new key pair using GPG, both the public and private
keys are stored in your keyring. You can view the keys in your keyring
using the gpg --list-keys command. The output will show information
about each key, including the key ID, type, creation date, and user IDs.

You can also have subkeyrings within your keyring, separating keys based
on various criteria, such as trust level or key type.

Keyrings are stored in files in your GPG home directory. The default
location for the GPG home directory is ~/.gnupg/, but this can be
configured using the --homedir option with GPG commands.

In summary, the GPG keyring is a critical component of GPG's
functionality, managing the keys needed for secure communication, digital
signatures, and encryption. It keeps track of both your own keys and the
keys of others you interact with in the realm of public-key cryptography.

Subkeys

In asymmetric encryption, you have a key pair consisting of a private
key and a corresponding public key. The public key is derived from the
private key, and it's used for operations like encryption or signature
verification.

In the context of PGP/GPG, when we talk about a "subkey," we are still
referring to a key pair, which includes both a private subkey and its
corresponding public subkey. The primary key also has its own key pair
with a private key and a corresponding public key.

So, in summary:

    Primary Key Pair:
        Private Key: Used for certification and signing.  Public Key:
        Used for verifying certifications and signatures.

    Subkey Pair (for Encryption, for example):
        Private Subkey: Used for specific cryptographic operations, such
        as encryption.  Public Subkey: Used for verifying operations
        performed with the private subkey.

The private subkey is not directly derived from the primary private
key. Instead, both the primary private key and the private subkey are
independently generated and stored as part of the key pair. The private
subkey is encrypted with the passphrase associated with the primary key
for added security.

considerations

• A primary key for each identity (eg. [email protected] / [email protected])
• A subkey for each device.

misc

create key create a subkey --export > public.asc --export-secret-keys > secret.asc --exporter-secret-subkeys > secret_subkeys.asc delete-secret-keys --import secret_subkeys.asc store secret.asc (and public.asc) somewhere secure offline. The subkey is used for signing and encryption. The primary secret is used for pgpkey administration eg. addkey, deletekey, web of trust stuff