PARAMANT — Post-Quantum Encrypted File Transfer

Sectors & problems

Real problems. Real stakes.

Each sector has a data transport problem existing solutions cannot solve without leaving traces. Ghost Pipe is running today — two commands and it works.

♥ Healthcare

DICOM files that vanish after delivery

MRI / CT → Ghost Pipe → PACS. The file exists only for the duration of the transfer, then burns. Nothing to audit, nothing to breach. NEN 7510 compliant by design.

# DICOM gateway
python3 dicom-gateway.py --port 8090 --device mri-001
python3 paramant-receiver.py --forward https://pacs.hospital/api

Live on health.paramant.app →

⚖ Legal & Notary

Contracts that can't be subpoenaed

Document → Ghost Pipe → counterparty. After retrieval it's cryptographically gone. The Merkle audit log proves delivery without storing what was delivered — admissible under eIDAS.

# send signed contract — once
python3 paramant-sender.py --key pgp_xxx --device notary-01 contract.pdf
python3 paramant-receiver.py --key pgp_xxx --device counterparty-01

Live on legal.paramant.app →

⚡ Industrial IoT / OT

Sensor data without exposing your OT network

PLC → Ghost Pipe → SCADA. Sub-100ms via NATS. No VPN, no certificates, no direct IT connection. IEC 62443-compliant quantum-safe data diode. Runs on ESP32 and Raspberry Pi.

# PLC heartbeat every 15s
python3 paramant-sender.py --heartbeat 15 --device plc-factory-01
python3 paramant-receiver.py --forward https://scada.intern/api

Live on iot.paramant.app →

🏦 Finance & Compliance

No US CLOUD Act. No metadata leakage.

Hetzner Frankfurt only — no US infrastructure. Fixed 20 MB padding means all transfers look identical. Per-transaction Merkle proof for NIS2/DORA audits — verifiable without knowing the content.

# auto-send new ISO 20022 files
python3 paramant-sender.py --watch /export/iso20022/ --device bank-nl-01
python3 paramant-receiver.py --forward https://compliance.bank.nl/api

Live on finance.paramant.app →

relay nodes live

20MB

fixed padding

bytes stored

<100ms

delivery via WebSocket

Works today. No SDK required.

pip install cryptography · two terminal commands · no infra changes

View API docs →

Pricing

Simple. Free to start.

Two ways to use PARAMANT — pick the one that fits.

Relay operator

You run the relay

You want to self-host a relay for your team or customers. You control the server.

You receive: plk_ license key
Adds to .env → unlocks >5 users

Community: free forever up to 5 users

⋮

End user

You use a relay

You want to send or receive encrypted files. Someone else runs the relay.

You receive: pgp_ API key
Sent in X-Api-Key header

Free: 10 uploads/day — no credit card

plk_ keys are for operators · pgp_ keys are for end users · they are never the same person

COMMUNITY — START HERE

Free

Up to 5 users · BUSL-1.1 · no license key needed

Your server, your data, zero lock-in. Free forever.

✓ Full source code — audit everything
✓ ML-KEM-768 + AES-256-GCM + ML-DSA-65
✓ RAM-only, burn-on-read
✓ 4 sector relays via Docker Compose
✓ Auto TLS via Let’s Encrypt
✓ Zero-downtime user reload
✓ Admin panel (r34ct0r)
– Community support only

Download v2.2.1 →

RELAY LICENSE

Notify me

Unlimited users · coming Q3 2026

Outgrown 5 users? One plk_ key in .env unlocks unlimited.

✓ Everything in Community
✓ Unlimited users on your relay
✓ Priority security updates
✓ E-mail support + SLA
✓ Compliance documentation
✓ SAML / SSO

Join waitlist →

ENTERPRISE RELAY

Custom

Volume · SLA · regulated industries

Dedicated relay, on-premise option, DICOM / FHIR, compliance docs.

✓ Everything in Licensed
✓ Dedicated relay — data never shared
✓ On-premise option
✓ DICOM / FHIR integration
✓ NEN 7510 / IEC 62443 docs
✓ SLA 99.9% + priority support
✓ Kubernetes operator

License: BUSL-1.1 — source available · Change Date: 2029-01-01 → Apache 2.0 · view LICENSE

Self-hosting

Run your own relay.

Source-available under BUSL-1.1. Free for up to 5 users. Full control — your server, your keys, no data leaving your infrastructure.

Choose your install method

🍎

RASPBERRY PI

Pi 3B+ / 4 / 5

One command. Detects your Pi, installs Docker, disables swap, shows QR code with your relay URL.

curl -fsSL https://paramant.app/install-pi.sh | bash

ARM64 · 512 MB RAM min · Raspberry Pi OS Lite

📥

DOCKER HUB

Linux · amd64 + arm64

Pull the pre-built multi-arch image. No build step, no Node.js required. Works on any Docker host.

docker pull mtty001/relay:latest
# or: docker compose up -d

View on Docker Hub →

📄

LINUX / VPS

Ubuntu · Debian · Hetzner

Clone the repo, configure your .env, and start the full 4-sector stack with nginx and auto-TLS.

git clone github.com/Apolloccrypt/paramant-relay
cp .env.example .env && nano .env
docker compose up -d

★ View on GitHub →

Quick start — Ubuntu / Debian ~2 minutes

# 1. Clone
git clone https://github.com/Apolloccrypt/paramant-relay && cd paramant-relay

# 2. Configure
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env

# 3. Launch
docker compose up -d

# 4. Verify
curl http://localhost/health
# {"ok":true,"version":"2.2.1","edition":"community"}

★ Star on GitHub Contributing → Changelog → Full docs →

Encrypted transport
that burns itself.

Ghost Pipe — real-time transport

Real problems. Real stakes.

DICOM files that vanish after delivery

Contracts that can't be subpoenaed

Sensor data without exposing your OT network

No US CLOUD Act. No metadata leakage.

Simple. Free to start.

Run your own relay.

Encrypted transportthat burns itself.

Ghost Pipe — real-time transport

Real problems. Real stakes.

DICOM files that vanish after delivery

Contracts that can't be subpoenaed

Sensor data without exposing your OT network

No US CLOUD Act. No metadata leakage.

Simple. Free to start.

Run your own relay.

Encrypted transport
that burns itself.