So, last night's bedtime reading material was about NaCl. No, the other NaCl, the crypto API:
Their API has three main public functions: generate keypair, encrypt-and-sign, and verify-then-decrypt. It's pretty fast, uses a seemingly-good variant of elliptic curve, doesn't require memory allocations in the encryption/decryption path, is safe from pesky timing attacks, and works fine with streaming (TCP) as well as lossy (UDP) communications. It seems to also be nearly 100% impossible to use incorrectly.
Meanwhile, heartbleed. Compare and oontrast.
ssh+2FA to all your machines, anywhere, without opening firewall ports.