I'm currently working on a project that requires encrypted data be passed between WCF hosts. As I understand it there are only 2 ways to ensure that data passed over WCF is secure.

1. Using Certificates
2. Using a Domain (or having the same username and password on every machine on the network)

Using certificates can be expensive and complicated to manage and since we're not guaranteed to have a server class machine at every deployment a Domain is also out of the question. Having every machine use the same username and password is also problematic if that password ever needs to be changed.

Currently we use OpenSSH to tunnel our connections between hosts. Is there another option built into the framework that I'm unaware of?

Encryption requires a key. Keys are usually implemented as certificates. If you own both sides of the communication, you can create your own certificate for free without having to go buy one from a trusted root authority.

Here is an alternative. Works without IIS and SSL/X509 certificates.

If you are using a http endpoint, you can use a secure transport such as https.

Use traditional encryption of the data that you are placing inside the WCF container. Maybe something like the following:

http://www.obviex.com/samples/EncryptionWithSalt.aspx

The cheapest method is probably to run your own certification authority. This means you have total control over the certificates, but you do not have to pay for external certification. If you automate this appropriately, you can give every machine on your net a cryptographic identity and use your local certification to tie everything together.