[e12e]

I'd say ("first time") setup is pretty easy (and has been for a while). The tricky part (as always) is managing the keys (the private key, and the (optional) revocation key) -- and managing trust.

Key management is tricky because if you have a truly secure pass-phrase (that is, one that contains >= 128 bits "worth" of entropy (or even >= 65 bits which might be enough), a pass-phrase that can be considered at least as secure as the symmetric session keys) -- then that is going to be awkward to type in (and remember). And if you don't -- then you need to be (extra) careful about where you store your secret key ring, where it is backed up, etc (you should be careful about this anyway).

And it is still tricky to carefully manage which keys you trust, and bootstrapping trust is hard. The latter can be alleviated somewhat by having a few "designated CAs" in a company -- eg: have the IT department set up GPG, and make sure that they verify and sign people's keys along with setting up accounts etc.