Updated in 2021
The Debian developer community refused to implement transport crypto for updates because “signing packages is secure enough”. Utter bullshit.
This is a quick guide on how to dramatically improve the privacy and security of your Ubuntu web server. It requires the installation of “apt-transport-tor”, an application that will allow APT transfers to occur over Tor. There is also an application called “apt-transport-https” that is already installed in Ubuntu that we’ll use.
The Wikimedia Ubuntu repo has a good TLS configuration, and they don't block Tor.
On your server, first install Tor.
Then perform the following:
sudo apt update && sudo apt dist-upgrade -y && sudo apt install apt-transport-tor
sudo vim /etc/apt/sources.list
Edit “sources.list” to just use only “deb”. “deb-src” is only needed if you build from source which most people do not. You can safely delete the deb-src lines from the file. Replace all of the default Ubuntu repos with Wikimedia’s and be sure to add “tor+” before the “https”. Doing so adds end-to-end encryption via HTTPS, and it becomes Torified meaning network adversaries will have a more difficult time analyzing what software and what versions of said software are installed on your web server.
deb tor+https://mirrors.wikimedia.org/ubuntu/ focal main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-updates main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-backports main restricted universe multiverse deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-security main restricted universe multiverse deb tor+https://deb.torproject.org/torproject.org focal main
All your future apt update and dist-upgrade commands will now be performed over Tor and using high-grade HTTPS.