Generating random session keys for each message isn't the problem, the problem is how to transfer them between Alice and Bob without an attacker in the middle being able to determine them, and without an attacker in the middle being able to stockpile ciphertexts that they can later demand the key for. Managing it yourself with something like GPG is pretty much out of the question due to the fact that it wasn't really designed for that sort of communication, you would need some specialized software program. GPG allows for secure transfer of session keys, but essentially everyone uses it with long term keys because it doesn't aid end users in using ephemeral keys. Right now the only software programs I know of that allow for ephemeral keys / forward secrecy use DH or ECDH and they are Torchat and OTR. I like OTR, I dislike Torchat primarily due to the fact that it makes you run as a hidden service. That said nothing prevents someone from making a OpenPGP compliant program that makes this sort of system easy to manage, although it would be easiest if it doesn't require the user to actually handle keys themselves at all (like OTR, where you never have to type in a password, load someone elses public key or look at your own public key, because the software does all of it for you. Another example of software like this is Tor, and Torchat due to the fact that it piggybacks on Tor for encryption). See with GPG Alice and Bob exchange public keys and use them in the process of encrypting messages for each other. The public and private keys stay the same for long periods of time and large volumes of messages. Since the same private key is used to decrypt the session keys on dozens or even hundreds of messages, the compromise of one long term private key can be used to decrypt all of the ciphertexts that were encrypted to it. With OTR, a new ephemeral public key is generated for each message and after Alice sends the message (and for Bob after he decrypts it) the ephemeral keys are securely overwritten. This means that an attacker who stockpiles a thousand ciphertexts will never be able to get the keys to decrypt them because the keys are destroyed immediately after they are used. Furthermore, unless Alice or Bob are malicious and running malicious clients, even they will never see the ephemeral public keys used or know the session keys, because OTR handles all of that for you.