No OpenSSH. No OpenSSL. Just Rust and a kernel.
I've been building IONA OS — a sovereign operating system written entirely in Rust — for the past 13 years.
Last week, I finished one of the most complex components I've ever written: a full SSH server and VPN stack, both with post-quantum cryptography, running inside the kernel itself.
No external libraries. No OpenSSH. No OpenSSL. Just Rust, bare metal, and a lot of math.
Here's how I did it.
Why post‑quantum?
Quantum computers are coming. When they arrive, they will break RSA and ECC — the cryptographic foundations of almost everything on the internet.
The US government has set a deadline: by 2035, all federal systems must be post‑quantum ready.
I didn't want to wait. I wanted IONA OS to be post‑quantum from day one.
So I implemented Dilithium (ML-DSA) — a lattice‑based signature scheme standardised by NIST — from scratch, in Rust, in the kernel.
What "from scratch in the kernel" actually means
Most people use libraries:
- OpenSSH for SSH
- OpenVPN for VPN
- OpenSSL for crypto
-
pqcrypto-dilithiumfor post‑quantum
I used none of them.
Everything was written from zero, in Rust, with no std, no heap allocator (in the critical paths), and no external dependencies.
This means:
- No
libc - No
randcrate - No
sha2crate - No
x25519-dalek - No
curve25519-dalek - No
pqcrypto-dilithium
Every bit of crypto — every NTT transform, every modular reduction, every Keccak round — was written by me.
What I built
1. Post‑Quantum SSH Server
A full SSH server running inside the kernel, listening on port 2222.
Implemented correctly:
- mpint encoding — big integer serialisation
- ChaCha20‑Poly1305 AEAD — with round‑trip encryption and tamper rejection
- KEX (Key Exchange) — using Curve25519 + Dilithium
- Host‑key signature — signed with Dilithium
- KDF — key derivation for session keys
2. Post‑Quantum VPN
A VPN protocol running alongside SSH, with:
- Control framing
- Mutual signatures — both sides authenticate with Dilithium
- Data‑channel AEAD — ChaCha20‑Poly1305 for packet encryption
- Tamper rejection — modified packets are dropped
3. Post‑Quantum Crypto
- Dilithium (ML-DSA) — for signatures
- Kyber (ML-KEM) — for key encapsulation (planned/partial)
- ChaCha20‑Poly1305 — for symmetric encryption
- Curve25519 — for elliptic curve Diffie‑Hellman
- SHA‑256 / SHA‑384 — for hashing
All written from zero.
The boot log that proves it works
Here's what happens when IONA OS boots:
[SSH] self-test passed: mpint encoding, cipher round-trip + tamper rejection, KEX agreement, host-key signature, KDF
[VPN] self-test passed: control framing, KEX agreement, mutual signatures, key derivation, data-channel AEAD + tamper rejection
[SEC] PQ crypto: ... SSH=OK OpenVPN=OK RSA=OK
[SCHED] spawn 'ssh-accept-loop' tid=16 ...
[BOOT-SEQ] ssh-server OK 2272ms
What this means:
-
self-test passed— every cryptographic component was verified at boot -
tamper rejection— modified packets are detected and dropped -
KEX agreement— the key exchange works correctly -
mutual signatures— both sides authenticate using Dilithium -
PQ crypto: SSH=OK OpenVPN=OK— post‑quantum crypto is active -
2272ms— the entire stack initialises in just 2.27 seconds
The hardest part: Dilithium from scratch
Dilithium is a lattice‑based signature scheme.
It's not just "hard" — it's one of the most complex cryptographic algorithms ever standardised.
What makes it hard:
- NTT (Number Theoretic Transforms) — you need fast polynomial multiplication
- Fiat‑Shamir with Aborts — the signing algorithm can fail and retry
- Modular arithmetic — strict, no overflow, no timing leaks
- Side‑channel resistance — the code must run in constant time
-
Memory constraints — no heap, no
Vec, noBox
Writing it in Rust, in no_std, in the kernel, without any external help, took months.
But it works.
Why this matters
Most operating systems depend on:
- OpenSSH for remote access
- OpenVPN / WireGuard for VPN
- OpenSSL / LibreSSL for crypto
IONA OS has none of these dependencies.
It is completely sovereign.
If you want to connect to an IONA OS machine, you use its native SSH server — with post‑quantum security, running directly in the kernel.
No Linux. No userspace. No OpenSSL.
What's next
This is not the end. It's the foundation.
- Mesh networking — combine VPN with peer discovery to build a fully encrypted mesh between IONA OS devices
- Zero‑trust authentication — mutual signatures make every connection verifiable
- Post‑quantum TLS — same stack, used for HTTPS
But that's for another article.
The code
You can find the full source code (including Dilithium, SSH, and VPN) in the IONA OS repository:
github.com/Ionablokchain/Iona-OS
The project is not yet production‑ready — but the foundation is solid.
Final thoughts
When I started building IONA OS, people told me:
"You can't build an OS alone."
"You can't write your own crypto."
"You can't implement Dilithium from scratch."
I did all three.
This SSH server is proof that one person can build sovereign infrastructure — if they have the patience, the discipline, and the belief that it's possible.
IONA OS launches on September 15, 2026.
Website: iona.zone
GitHub: github.com/Ionablokchain
13 years of research. Every line written from scratch. And it works.
Top comments (0)