Start by reading the GPG MiniHOWTO, and following the examples in there.
Then refer to the GPG manual for more information as required.
If possible
When experimenting, please use -v and -vv in order to see more information on what's happening.
--symmetric is specifically symmetric encryption, which is not supposed to use keys - it uses the passphrase only, so being able to decrypt with only the passphrase is expected.
Symmetric encryption - only a passphrase
The simplest --symmetric command line to encrypt is
gpg -v --symmetric test.txt
though I would strongly recommend choosing a better cipher and larger number of key derivation iterations, i.e.
gpg -v --cipher-algo AES256 --s2k-mode 3 --s2k-digest-algo SHA512 --s2k-count 65600000 --symmetric test.txt
for AES256 encryption with a SHA-512 digest and a large key iteration count (please increase it from what I've listed as well), or
gpg -v --cipher-algo CAMELLIA256 --s2k-mode 3 --s2k-digest-algo SHA512 --s2k-count 65600000 --symmetric test.txt
for CAMELLIA256 as above otherwise.
Signatures - no encryption by itself
-sb is two forms of signature together, and acts the same as -b. This DOES NOT ENCRYPT in the first place, it just signs with a detached signature; a more complete usage would be:
gpg -u <mykeyid> -b test.txt
for the detached signature
Public Key Encryption
A public key example of a signature plus encryption is:
gpg -v --local-user <mykeyidToSign> --recipient <theirkeyidToEncryptTo> --sign --encrypt test.txt
Public key generation
I recommend a stronger passphrase encryption and digest algorithm when generating keys as well
gpg --s2k-mode 3 --s2k-digest-algo SHA512 --s2k-count 95600000 --cert-digest-algo SHA512 --gen-key
gpg --edit-key <mynewkey>
And, as above, increase --s2k-count further, please.
This not only creates a strong passphrase derivation, but also sets a strong, modern key self-signature (--cert-digest-algo). Some old or limited GPG or PGP software may not support new self-signatures of SHA512; you can use SHA256 instead there if you have to, but I rarely see issues with SHA512 these days (and they should upgrade if they have them).
Follow that up by setting preferences to the strongest defaults that you can, for example
gpg --edit-key <mynewkey>
setpref AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZIP ZLIB
save
this step is safe, as any properly configuring sending software will simply go down the list to find the first cipher that matches, the first hash that matches, and the first compression that matches.
Public key passphrases
Note that the passphrase (entered when generating the key, changable with the
passwd
command in the --edit-key mode, is what encrypts the private key; it is NOT used by whoever is using the public key, and SHOULD be kept as secret as the private key itself.
Both passphrase and public key encryption, requiring both
If you want the recipient to have BOTH the private key, AND a passphrase known by both parties (sender and recipient), then you have to run GPG twice, i.e.
gpg -v --cipher-algo CAMELLIA256 --s2k-mode 3 --s2k-digest-algo SHA512 --s2k-count 65600000 --symmetric test.txt
First use symmetric encryption, which will be the SECOND decryption (the "inside" layer of the encryption onion).
gpg -v --local-user <mykeyidToSign> --recipient <theirkeyidToEncryptTo> --sign --encrypt test.txt.gpg
Then use public key encryption on the previously encrypted file; note this one is on test.txt.gpg, and outputs test.txt.gpg.gpg
The recipient (or their automated process) will first decrypt the public key portion with their private key as well as validate the signature. Then, if it's a corporatewide or team key, they can route the message to the intended recipient who has the symmetric key.
Decryption (both public and private)
gpg -v --decrypt test.txt.gpg
gpg -K
on the machine where you wanted to decrypt the file (not having the private keys).