Checking relay status...
NOW SELF-HOSTABLE — docker compose up -d

Encrypted transport
that burns itself.

Post-quantum file transfer for healthcare, legal, and critical infrastructure. Data lives in RAM only — retrieved once, then gone forever.

Get startedSelf-host free ↓GitHub ↗
ML-KEM-768
NIST FIPS 203
ML-DSA-65
NIST FIPS 204
AES-256-GCM
Symmetric
HKDF-SHA256
Key derivation
Burn-on-read
RAM-only
5MB padding
DPI masking
Argon2id
RFC 9106
Two-step burn
Preload-proof
Hetzner DE
EU jurisdiction
Live network

Ghost Pipe — real-time transport

Public feed. Every dot is an encrypted blob in transit across the relay network. Data is destroyed on arrival.

Relay pipeline
Health
Legal
Finance
IoT
Node map
EU/DE · Anycast
AMS FRA Hetzner DE ARN Stockholm CDG Paris ORD eval Fly.io 6 nodes
AMS
NL
FRA
DE
ARN
SE
CDG
FR
ORD
eval
Fly.io
edge
Certificate Transparency Log — live
view all →
Total entries
verified transfers
Current Merkle root
SHA-256 · public · tamper-evident
Every transfer hashed into a Merkle tree — content never stored
View live CT log →
Sectors & problems

Real problems. Real stakes.

Each sector has a data transport problem existing solutions cannot solve without leaving traces. Ghost Pipe is running today — two commands and it works.

Healthcare

Problem

MRI and CT scanners produce DICOM files that must reach the radiologist in milliseconds. SFTP leaves files on server. S3 is plaintext at rest. VPN breaks at firewalls. A breach costs €4.2M on average and triggers NEN 7510 liability.

Solution

DICOM → Ghost Pipe → PACS. The file exists only for the duration of the transfer, then burns. No NEN 7510 audit trail needed — there is nothing to audit.

# DICOM gateway — runs today
python3 dicom-gateway.py --port 8090 --device mri-001
# receiver → PACS
python3 paramant-receiver.py --forward https://pacs.hospital/api
Live on health.paramant.app →
Legal & Notary

Problem

Lawyers send contracts over email (unencrypted), WeTransfer (stored), or secure email (still stored somewhere). The moment a file lands on a server it can be subpoenaed, hacked, or leaked. Legal professional privilege does not survive a server breach.

Solution

Contract → Ghost Pipe → counterparty. After the notary retrieves the document it is cryptographically gone. The Merkle audit log proves delivery without storing what was delivered — admissible under eIDAS.

# send signed contract
python3 paramant-sender.py --key pgp_xxx --device notary-01 contract.pdf
# counterparty receives once — then gone
python3 paramant-receiver.py --key pgp_xxx --device counterparty-01
Live on legal.paramant.app →
Industrial IoT / OT

Problem

PLCs and SCADA sensors send energy consumption, process temperatures, and production volumes. Plain MQTT leaks competitive intelligence. VPNs add latency and fail at scale. IEC 62443 requires encrypted transport with device identity. OT networks cannot have direct IT connections.

Solution

Sensor → Ghost Pipe → SCADA dashboard. Sub-100ms via NATS push. No VPN, no certificates, no IT overhead. Works on ESP32 and Raspberry Pi. Ghost Pipe acts as a quantum-safe data diode — OT never touches IT directly.

# PLC heartbeat every 15s
python3 paramant-sender.py --heartbeat 15 --device plc-factory-01
# forward to SCADA
python3 paramant-receiver.py --forward https://scada.intern/api
Live on iot.paramant.app →
Finance & Compliance

Problem

Banks send KYC documents and signing keys over TLS — but the transport provider still sees metadata, timing, and payload size. US CLOUD Act means any US-hosted service can be compelled to hand over data. NIS2 and DORA require an auditable, tamper-proof delivery chain.

Solution

All traffic on finance.paramant.app runs exclusively on Hetzner Frankfurt. No US infrastructure. 20MB fixed padding means all transfers look identical. The Merkle audit chain gives per-transaction proof of delivery — verifiable without knowing the content.

# watch directory, auto-send new files
python3 paramant-sender.py --watch /export/iso20022/ --device bank-nl-01
# forward to compliance system
python3 paramant-receiver.py --forward https://compliance.bank.nl/api
Live on finance.paramant.app →
5
relay nodes live
20MB
fixed padding
0
bytes stored
<100ms
delivery via WebSocket
Works today. No SDK required.
pip install cryptography  ·  two terminal commands  ·  no infra changes
View API docs →
Pricing

Simple. Free to start.

Self-host for free. No account, no credit card, no lock-in. Managed hosting and enterprise options available when you need more than 5 users on your relay.

SELF-HOST — START HERE
Free
Community Edition — BUSL-1.1
Full control. Your server, your data, zero lock-in.
  • + Full source code — audit everything
  • + ML-KEM-768 + AES-256-GCM
  • + RAM-only, burn-on-read
  • + 4 sector relays via Docker Compose
  • + Auto TLS via Let's Encrypt
  • + Up to 5 users
  • + Zero-downtime user reload
  • – No commercial support
Download v2.2.1 →
HOSTED
Coming Q3 2026
When you need more than 5 users on your relay
Outgrown 5 users? We run the relay — you get the security, zero ops.
  • + Everything in Self-host
  • + Unlimited users
  • + Managed relay on Hetzner DE
  • + WebSocket streaming — sub-100ms
  • + Automatic webhook on delivery
  • + Compliance audit export (JSON + CSV)
  • + Live monitor dashboard
  • + Password-protected transfers
  • + Priority relay access
  • + E-mail support
Coming soon
ENTERPRISE
Custom
Volume and SLA pricing
For regulated industries — healthcare, legal, finance.
  • + Everything in Hosted
  • + Dedicated relay — your data never shared
  • + On-premise relay option
  • + DICOM / FHIR integration
  • + NEN 7510 / IEC 62443 compliance docs
  • + SLA 99.9% + priority support
  • + SAML / SSO
  • + Kubernetes operator
Contact us
Self-hosting

Run your own relay.

PARAMANT is source-available under BUSL-1.1. Deploy your own post-quantum encrypted relay on any Linux server — full control, no lock-in, no data leaving your infrastructure.

Community Edition — Free
  • Full source code — audit everything
  • ML-KEM-768 + AES-256-GCM
  • RAM-only, burn-on-read
  • Docker Compose included
  • Up to 5 users
  • No commercial support
Download v2.2.1 →
Relay License — coming soon
  • Everything in Community
  • Unlimited users on your relay
  • Priority security updates
  • E-mail support + SLA
  • SAML / SSO
  • Compliance documentation
Get notified →
Choose your install method
🍎
RASPBERRY PI
Pi 3B+ / 4 / 5
One command. Detects your Pi, installs Docker, disables swap, shows QR code with your relay URL.
curl -fsSL https://paramant.app/install-pi.sh | bash
ARM64 · 512 MB RAM min · Raspberry Pi OS Lite
📥
DOCKER HUB
Linux · amd64 + arm64
Pull the pre-built multi-arch image. No build step, no Node.js required. Works on any Docker host.
docker pull mtty001/relay:latest
# or: docker compose up -d
View on Docker Hub →
📄
LINUX / VPS
Ubuntu · Debian · Hetzner
Clone the repo, configure your .env, and start the full 4-sector stack with nginx and auto-TLS.
git clone github.com/Apolloccrypt/paramant-relay
cp .env.example .env && nano .env
docker compose up -d
★ View on GitHub →
Quick start — Ubuntu / Debian ~2 minutes
# 1. Clone
git clone https://github.com/Apolloccrypt/paramant-relay && cd paramant-relay

# 2. Configure
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env

# 3. Launch
docker compose up -d

# 4. Verify
curl http://localhost/health
# {"ok":true,"version":"2.2.1","edition":"community"}
★ Star on GitHub Contributing → Changelog → Full docs →