Checking relay status...
v2.4.1 — SELF-HOSTABLE — docker compose up -d

Encrypted transport
that burns itself.

Post-quantum file transfer. Encrypted client-side, stored in RAM only, destroyed after one download. For healthcare, legal, and critical infrastructure.

Try ParaShare free → Self-host in 60s ↓
No account  ·  No credit card  ·  Request free API key →
ML-KEM-768
NIST FIPS 203
ML-DSA-65
NIST FIPS 204
AES-256-GCM
Symmetric
HKDF-SHA256
Key derivation
Burn-on-read
RAM-only
5MB padding
DPI masking
Argon2id
RFC 9106
Two-step burn
Preload-proof
Hetzner DE
EU jurisdiction
Relay operator
Run your own relay
Community Edition — free forever, up to 5 users, BUSL-1.1
Self-host ↓
End user
Use a managed relay
Free tier — 10 uploads/day, no account, pgp_ API key
Pricing ↓
Relay network

Ghost Pipe — real-time transport

Public feed. Every dot is an encrypted blob in transit across the relay network. Data is destroyed on arrival.

Relay pipeline
Health
Legal
Finance
IoT
Node map
EU/DE · Anycast
AMS planned FRA Hetzner DE ARN planned CDG planned ORD eval Fly.io planned
AMS
planned
FRA
live
ARN
planned
CDG
planned
ORD
eval
Fly.io
planned
Certificate Transparency Log — live
view all →
Total entries
verified transfers
Current Merkle root
SHA3-256 · public · tamper-evident
Every transfer hashed into a Merkle tree — content never stored
View live CT log →
Use cases

Real problems. Real stakes.

Ghost Pipe solves the same core problem across every sector: confidential data transport that leaves no trace. One relay engine — routed across dedicated subdomains for isolation and sector-specific compliance documentation.

All relay nodes run identical Ghost Pipe software  ·  subdomains provide routing isolation, not different configurations
⊕ Healthcare

DICOM files that vanish after delivery

MRI / CT → Ghost Pipe → PACS. The file exists only for the duration of the transfer, then burns. Nothing to audit, nothing to breach. Designed with NEN 7510 in mind.

# send DICOM file — burned after one download
python3 paramant-sender.py --key pgp_xxx --device mri-001 scan.dcm
python3 paramant-receiver.py --key pgp_xxx --forward https://pacs.hospital/api
Live on health.paramant.app →
§ Legal & Notary

Contracts that leave no recoverable trace

Document → Ghost Pipe → counterparty. After retrieval it's cryptographically gone. The Merkle audit log proves delivery without storing what was delivered — supports eIDAS-compatible audit trails.

# send signed contract — once
python3 paramant-sender.py --key pgp_xxx --device notary-01 contract.pdf
python3 paramant-receiver.py --key pgp_xxx --device counterparty-01
Live on legal.paramant.app →
∿ Industrial IoT / OT

Sensor data without exposing your OT network

PLC → Ghost Pipe → SCADA. No VPN, no certificates, no direct IT connection. Designed with IEC 62443 in mind — quantum-safe data diode. Runs on Raspberry Pi and any Linux device.

# PLC heartbeat every 15s
python3 paramant-sender.py --heartbeat 15 --device plc-factory-01
python3 paramant-receiver.py --forward https://scada.intern/api
Live on iot.paramant.app →
◊ Finance & Compliance

No US CLOUD Act. No metadata leakage.

Hetzner Frankfurt only — no US infrastructure. Fixed 5 MB padding means all transfers look identical. Per-transaction Merkle proof for NIS2/DORA audits — verifiable without knowing the content.

# auto-send new ISO 20022 files
python3 paramant-sender.py --watch /export/iso20022/ --device bank-nl-01
python3 paramant-receiver.py --forward https://compliance.bank.nl/api
Live on finance.paramant.app →
1
relay node live
5MB
fixed padding
0
bytes stored
<100ms
delivery via WebSocket
Works today. No SDK required.
pip install cryptography  ·  two terminal commands  ·  no infra changes
View API docs →
Security

Independently audited. April 2026.

An uncompensated, voluntary security review by Ryan Williams (Smart Cyber Solutions Pty Ltd, AU). All critical and high findings patched before public release.

4
Critical — patched
5
High — patched
6
Medium — patched
5
Low — patched

Crypto stack

ML-KEM-768NIST FIPS 203 — key encapsulation
AES-256-GCMNIST SP 800-38D — symmetric
ML-DSA-65NIST FIPS 204 — signatures
HKDF-SHA256RFC 5869 — key derivation
Argon2idRFC 9106 — password blobs
Rust/WASMBrowser-side encrypt in native code

What a compromised relay cannot do

Read file contents
Substitute a registered public key
Decrypt any stored ciphertext
Identify file size (fixed 5 MB padding)
Recover burned blobs — memory zeroed on download
Independent security audit — April 2026
Ryan Williams · Smart Cyber Solutions Pty Ltd (AU) · uncompensated, voluntary
Full report → Patch status →
Pricing

Simple. Free to start.

Two ways to use PARAMANT — pick the one that fits.

Relay operator
You run the relay
You want to self-host a relay for your team or customers. You control the server.
You receive: plk_ license key
Adds to .env → unlocks >5 users
Community: free forever up to 5 users
End user
You use a relay
You want to send or receive encrypted files. Someone else runs the relay.
You receive: pgp_ API key
Sent in X-Api-Key header
Free: 10 uploads/day — no credit card
plk_ keys are for operators  ·  pgp_ keys are for end users  ·  they are never the same person
COMMUNITY — START HERE
Free
Up to 5 users · BUSL-1.1 · no license key needed
Your server, your data, zero lock-in. Free forever.
  • Full source code — audit everything
  • ML-KEM-768 + AES-256-GCM + ML-DSA-65
  • RAM-only, burn-on-read
  • 5 sector relays via Docker Compose
  • Auto TLS via Let’s Encrypt
  • Zero-downtime user reload
  • Admin panel (/admin/)
  • Community support only
Download v2.4.1 →
RELAY LICENSE
Notify me
Unlimited users · coming Q3 2026
Outgrown 5 users? One plk_ key in .env unlocks unlimited.
  • Everything in Community
  • Unlimited users on your relay
  • Priority security updates
  • E-mail support + SLA
  • Compliance documentation
  • SAML / SSO (coming soon)
Join waitlist →
ENTERPRISE RELAY
Custom
Volume · SLA · regulated industries
Dedicated relay, on-premise option, DICOM / FHIR, compliance docs.
  • Everything in Licensed
  • Dedicated relay — data never shared
  • On-premise option
  • DICOM / FHIR integration
  • NEN 7510 / IEC 62443 design documentation
  • SLA 99.9% + priority support
  • Kubernetes operator (coming soon)
Contact us
License: BUSL-1.1 — source available  ·  Change Date: 2029-01-01 → Apache 2.0  ·  view LICENSE
Self-hosting

Run your own relay.

Source-available under BUSL-1.1. Free for up to 5 users. Full control — your server, your keys, no data leaving your infrastructure.

Choose your install method
π
RASPBERRY PI
Pi 3B+ / 4 / 5
One command. Detects your Pi, installs Docker, disables swap, shows QR code with your relay URL.
curl -fsSL https://paramant.app/install-pi.sh | bash
ARM64 · 512 MB RAM min · Raspberry Pi OS Lite
DOCKER HUB
Linux · amd64 + arm64
Pull the pre-built multi-arch image. No build step, no Node.js required. Works on any Docker host.
docker pull mtty001/relay:latest
# or: docker compose up -d
View on Docker Hub →
>_
LINUX / VPS
Ubuntu · Debian · Hetzner
Clone the repo, configure your .env, and start the full 5-sector stack with nginx and auto-TLS.
git clone github.com/Apolloccrypt/paramant-relay
cp .env.example .env && nano .env
docker compose up -d
★ View on GitHub →
Quick start — Ubuntu / Debian ~2 minutes
# 1. Clone
git clone https://github.com/Apolloccrypt/paramant-relay && cd paramant-relay

# 2. Configure
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env

# 3. Launch
docker compose up -d

# 4. Verify
curl http://localhost/health
# {"ok":true,"version":"2.4.1","sector":"main"}
★ Star on GitHub Contributing → Changelog → Full docs →