The most important commands on handling keys and de-/encryptions using the "GNU Privacy Guard" (or GnuPG or GPG) can be found here: Basic GnuPG.
The following scenario works at least on Debian Sarge, probabely on most *nix-sytems:
A: mkdir directory  touch directory/file  B: ln directory/file ~/my_cracker_file A: chmod 0700 directory echo "secret content" > directory/file B: cat ~/my_cracker_file
To be found here.
If your machine allows SSH-logins, it is possible for users to work on the machine without appearing in "w", "last" and similar:
ssh username@ssh-server /bin/sh -i sh-2.05b$ w|grep username sh-2.05b$
The reason is that the user doesn't have a normal interactive shell (according to the SSHD,
which just runs one command and then exits again). But: This command is "/bin/sh -i"
which does give the user a shell it can work with.
Only /var/log/auth.log mentions, who logged in when.
Why it might be a bad idea to enable X11-forwarding by default is explained in this article: SSH Users beware: The hazards of X11 forwarding.
If you want users to be able to use scp/sftp but have no shell access on your server, you have several options:
"deb http://debian.home-dn.net/woody ssh/"(and/or
"deb-src ..."respectively) to your
/etc/apt/sources.list. (04-03-15: There are packages for Sarge now as well, just replace "woody" with "sarge" in the mentioned sources.list entry.)