gpg — encrypt, decrypt, sign, verify

## Generate key
`gpg --full-generate-key` — interactive (recommend RSA 4096, no expiry only if you have a revocation strategy)
`gpg --list-keys` — public keys
`gpg --list-secret-keys --keyid-format LONG` — secret keys with long ID

## Export + import
`gpg --export --armor email > pub.asc` — export public key (ASCII)
`gpg --export-secret-keys --armor email > priv.asc` — export secret key (back up offline)
`gpg --import pub.asc` — import a key

## Encrypt + decrypt
`gpg -ear recipient -o out.gpg in` — encrypt for recipient, ASCII output
`gpg -d in.gpg > out` — decrypt to stdout/file
`gpg -c file` — symmetric encrypt (passphrase, no key needed)

## Sign + verify
`gpg --clearsign file` — sign in-place readable
`gpg --detach-sign file` — produces `file.sig`
`gpg --verify file.sig file` — verify a detached sig

## Manage trust
`gpg --edit-key email` then `trust` — set trust level for an imported key

## Revoke
`gpg --gen-revoke email > revoke.asc` — generate a revocation cert *now* (store offline). If your key leaks, you import this cert and publish it.