Generate a x25519 private key ----------------------------- We can generate a x25519 private key with openssl(1) (1.1.0 or newer is needed): % openssl genpkey -algorithm x25519 -out pkey.pem % cat pkey.pem -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VuBCIEIChUKzhOqb4SfBpM6rwuY5hI6nkjuyAZjywT5iaNnDNx -----END PRIVATE KEY----- % cat pkey.pem | sed '/PRIVATE KEY/d' | tr -d '\n' | base64 -d | tail -c 32 | python3.7 -c 'import base64, sys; print(base64.b32encode(sys.stdin.buffer.read()).decode().rstrip("="))' > pkey % cat pkey FBKCWOCOVG7BE7A2JTVLYLTDTBEOU6JDXMQBTDZMCPTCNDM4GNYQ Generate corresponding x25519 public key ---------------------------------------- We can extract the x25519 public key with openssl(1) (1.1.0 or newer is needed): % openssl pkey -in pkey.pem -pubout -----BEGIN PUBLIC KEY----- MCowBQYDK2VuAyEAe6FSTYh3Ui6IBDDZH5M8VImpjBEF2pFurXKQe/wo1y0= -----END PUBLIC KEY----- % openssl pkey -in pkey.pem -pubout | sed '/PUBLIC KEY/d' | tr -d '\n' | base64 -d | tail -c 32 | python3.7 -c 'import base64, sys; print(base64.b32encode(sys.stdin.buffer.read()).decode().rstrip("="))' > pub % cat pub POQVETMIO5JC5CAEGDMR7EZ4KSE2TDARAXNJC3VNOKIHX7BI24WQ Setting Tor client ------------------ On the client-side we need to add `ClientOnionAuthDir' to the torrc: ClientOnionAuthDir /var/chroot/tor/clientauth/ ...create the correspoding directory: # cd /var/chroot/tor # mkdir clientauth # chown tor:tor clientauth # chmod 700 clientauth ...and then put in clientauth/ directory a .auth_private with the following syntax (where does *not* contain trailing .onion!): :descriptor:x25519: E.g. in server-example.auth_private: :descriptor:x25519:FBKCWOCOVG7BE7A2JTVLYLTDTBEOU6JDXMQBTDZMCPTCNDM4GNYQ Setting Tor hidden server ------------------------- On the server we need to populate the /authorized_clients/ directory with the corresponding public key with the following syntax (where does *not* contain trailing .onion!): :: E.g. in client-example.auth_private: descriptor:x25519:POQVETMIO5JC5CAEGDMR7EZ4KSE2TDARAXNJC3VNOKIHX7BI24WQ