Tor Hidden Service VPS for Onion v3 Sites

Onion v3 keys are 56 character addresses backed by ed25519 cryptography. Loss of the private key is loss of the identity itself, so we recommend generating keys on an air gapped machine, transferring only the secret to the VPS over an authenticated channel, and excluding the HiddenServiceDir from any unencrypted backup. AnubizHost ships VPS images with full disk encryption available at provisioning time so the onion key never lives on plaintext disk.

Single Hop, Stealth, and OnionBalance configurations are all supported. For high traffic services we deploy multiple front nodes behind a single onion address using OnionBalance so a compromise of one front does not unmask the master descriptor. Each front node lives on a separate VPS with no shared filesystem to limit blast radius.

Tor itself is robust, but the application behind it usually is not. We pre-harden hidden service VPS with systemd unit isolation including ProtectSystem strict, NoNewPrivileges, PrivateTmp, and CapabilityBoundingSet restricted to nothing. The web server runs as an unprivileged user with no listening port on any interface other than the loopback that Tor connects to. Outbound clearnet is blocked at iptables to prevent accidental deanonymization through misbehaving plugins or update checks.

We supply hardened Nginx and Caddy templates with no Server header, no version banner, no default error pages, and disabled ETags to reduce the side channel surface that researchers like the OnionScan team have used to fingerprint hidden services. Templates are versioned in our docs portal and updated whenever a new fingerprinting class becomes public.

AnubizHost retains no per-customer traffic logs and no hypervisor side flow data. Hidden service VPS do not appear in any public network map and are not labeled internally as such. From our hypervisor we see a virtual machine that consumes CPU, memory, and disk; we cannot inspect what runs inside without breaching the customer agreement, which we will not do absent a valid court order from the hosting jurisdiction.

Signup requires only an email and a crypto payment. Bitcoin and Monero are accepted on every plan. We never ask for a phone number, an ID, or a real name. If you need to operate a long lived hidden service in a hostile threat environment, this is the floor for plausible deniability.