Secure Server: Authenticationless Encryption

TL;DR

This guide shows you how to set up a server that doesn’t require usernames and passwords, but still keeps your data completely private using end-to-end encryption. We’ll use SSH keys for access and WireGuard for secure communication.

Setting Up Authenticationless Encryption

1. Generate an SSH Key Pair
• On your client machine (the computer you’ll connect *from*), open a terminal.
• Run the following command to create a new key pair:

  ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

• You’ll be prompted for a passphrase. Leaving it blank creates an authenticationless key (but less secure!). Consider using a strong passphrase if security is paramount, and use ssh-agent to manage the key.

  Press Enter twice to accept the default file location (~/.ssh/id_ed25519) and leave the passphrase empty.

2. Copy the Public Key to the Server
• Use ssh-copy-id to copy your public key to the server. Replace user with your username on the server and server_ip with the server’s IP address:

  ssh-copy-id user@server_ip

• You’ll be prompted for the server password *this one time*. After this, you should be able to connect without a password.
3. Disable Password Authentication on the Server
• Connect to your server using SSH:

  ssh user@server_ip

• Edit the SSH daemon configuration file:

  sudo nano /etc/ssh/sshd_config

• Find these lines and change them as follows:
  • PasswordAuthentication no
  • ChallengeResponseAuthentication no
• Save the file (Ctrl+X, Y, Enter).
• Restart the SSH service to apply the changes:

  sudo systemctl restart sshd

4. Install and Configure WireGuard
• On the server:

  sudo apt update && sudo apt install wireguard -y

• Generate private and public keys for the server:

  wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key

• Create a WireGuard configuration file (e.g., /etc/wireguard/wg0.conf). Here’s an example:

  [Interface]
  PrivateKey = 
  Address = 10.8.0.1/24
  ListenPort = 51820
  PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

  Replace eth0 with your server’s network interface.

5. Configure WireGuard on the Client
• Install WireGuard on your client machine.
• Generate private and public keys for the client:

  wg genkey | tee ~/.ssh/client_private.key | wg pubkey > ~/.ssh/client_public.key

• Create a WireGuard configuration file (e.g., /etc/wireguard/wg0.conf) on the client:

  [Interface]
  PrivateKey = 
  Address = 10.8.0.2/32
  DNS = 8.8.8.8, 8.8.4.4
  
  [Peer]
  PublicKey = 
  AllowedIPs = 0.0.0.0/0
  Endpoint = server_ip:51820

  Replace server_ip with your server’s IP address.

6. Start WireGuard Interfaces
• On the server:

  sudo wg-quick up wg0

• On the client:

  sudo wg-quick up wg0

7. Verify Connection
• Check your client’s IP address. It should be 10.8.0.2.

  ip addr show wg0

• Ping a public website from the client:

  ping google.com