PARAMANT — Post-Quantum Encrypted File Transfer

Use cases

Real problems. Real stakes.

Ghost Pipe solves the same core problem across every sector: confidential data transport that leaves no trace. One relay engine — routed across dedicated subdomains for isolation and sector-specific compliance documentation.

◉ All relay nodes run identical Ghost Pipe software · subdomains provide routing isolation, not different configurations

⊕ Healthcare

DICOM files that vanish after delivery

MRI / CT → Ghost Pipe → PACS. The file exists only for the duration of the transfer, then burns. Nothing to audit, nothing to breach. Designed with NEN 7510 in mind.

# send DICOM file — burned after one download
python3 paramant-sender.py --key pgp_xxx --device mri-001 scan.dcm
python3 paramant-receiver.py --key pgp_xxx --forward https://pacs.hospital/api

Live on health.paramant.app →

§ Legal & Notary

Contracts that leave no recoverable trace

Document → Ghost Pipe → counterparty. After retrieval it's cryptographically gone. The Merkle audit log proves delivery without storing what was delivered — supports eIDAS-compatible audit trails.

# send signed contract — once
python3 paramant-sender.py --key pgp_xxx --device notary-01 contract.pdf
python3 paramant-receiver.py --key pgp_xxx --device counterparty-01

Live on legal.paramant.app →

∿ Industrial IoT / OT

Sensor data without exposing your OT network

PLC → Ghost Pipe → SCADA. No VPN, no certificates, no direct IT connection. Designed with IEC 62443 in mind — quantum-safe data diode. Runs on Raspberry Pi and any Linux device.

# PLC heartbeat every 15s
python3 paramant-sender.py --heartbeat 15 --device plc-factory-01
python3 paramant-receiver.py --forward https://scada.intern/api

Live on iot.paramant.app →

◊ Finance & Compliance

No US CLOUD Act. No metadata leakage.

Hetzner Frankfurt only — no US infrastructure. Fixed 5 MB padding means all transfers look identical. Per-transaction Merkle proof for NIS2/DORA audits — verifiable without knowing the content.

# auto-send new ISO 20022 files
python3 paramant-sender.py --watch /export/iso20022/ --device bank-nl-01
python3 paramant-receiver.py --forward https://compliance.bank.nl/api

Live on finance.paramant.app →

relay sectors live

5MB

fixed padding

bytes stored

<100ms

delivery via WebSocket

Works today. No SDK required.

pip install cryptography · two terminal commands · no infra changes

View API docs →

Self-hosting

Run your own relay.

Source-available under BUSL-1.1. Free for up to 5 users. Full control — your server, your keys, no data leaving your infrastructure.

Choose your install method

RASPBERRY PI

Pi 3B+ / 4 / 5

One command. Detects your Pi, installs Docker, disables swap, shows QR code with your relay URL.

curl -fsSL https://paramant.app/install-pi.sh | bash

ARM64 · 512 MB RAM min · Raspberry Pi OS Lite

⬡

DOCKER HUB

Linux · amd64 + arm64

Pull the pre-built multi-arch image. No build step, no Node.js required. Works on any Docker host.

docker pull mtty001/relay:latest
# or: docker compose up -d

View on Docker Hub →

LINUX / VPS

Ubuntu · Debian · Hetzner

Clone the repo, configure your .env, and start the full 5-sector stack with nginx and auto-TLS.

git clone github.com/Apolloccrypt/paramant-relay
cp .env.example .env && nano .env
docker compose up -d

★ View on GitHub →

Quick start — Ubuntu / Debian ~2 minutes

# 1. Clone
git clone https://github.com/Apolloccrypt/paramant-relay && cd paramant-relay

# 2. Configure
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env

# 3. Launch
docker compose up -d

# 4. Verify
curl http://localhost/health
# {"ok":true,"version":"2.4.2","sector":"main"}

★ Star on GitHub Contributing → Changelog → Full docs →

Pricing

Simple. Free to start.

Two ways to use PARAMANT — pick the one that fits.

Relay operator

You run the relay

You want to self-host a relay for your team or customers. You control the server.

You receive: plk_ license key
Adds to .env → unlocks >5 users

Community: free forever up to 5 users

⋮

End user

You use a relay

You want to send or receive encrypted files. Someone else runs the relay.

You receive: pgp_ API key
Sent in X-Api-Key header

Free: 10 uploads/day — no credit card

plk_ keys are for operators · pgp_ keys are for end users · they are never the same person

COMMUNITY — START HERE

Free

Up to 5 users · BUSL-1.1 · no license key needed

Your server, your data, zero lock-in. Free forever.

✓ Full source code — audit everything
✓ ML-KEM-768 + AES-256-GCM + ML-DSA-65
✓ RAM-only, burn-on-read
✓ 5 sector relays via Docker Compose
✓ Auto TLS via Let’s Encrypt
✓ Zero-downtime user reload
✓ Admin panel (/admin/)
– Community support only

Download v2.4.2 →

RELAY LICENSE

Notify me

Unlimited users · coming Q3 2026

Outgrown 5 users? One plk_ key in .env unlocks unlimited.

✓ Everything in Community
✓ Unlimited users on your relay
✓ Priority security updates
✓ E-mail support + SLA
✓ Compliance documentation
○ SAML / SSO (coming soon)

Join waitlist →

ENTERPRISE RELAY

Custom

Volume · SLA · regulated industries

Dedicated relay, on-premise option, DICOM / FHIR, compliance docs.

✓ Everything in Licensed
✓ Dedicated relay — data never shared
✓ On-premise option
✓ DICOM / FHIR integration
✓ NEN 7510 / IEC 62443 design documentation
✓ SLA 99.9% + priority support
○ Kubernetes operator (coming soon)

License: BUSL-1.1 — source available · view LICENSE

Encrypted transport
that burns itself.

Ghost Pipe — real-time transport

Real problems. Real stakes.

DICOM files that vanish after delivery

Contracts that leave no recoverable trace

Sensor data without exposing your OT network

No US CLOUD Act. No metadata leakage.

Run your own relay.

Simple. Free to start.

Encrypted transportthat burns itself.

Ghost Pipe — real-time transport

Real problems. Real stakes.

DICOM files that vanish after delivery

Contracts that leave no recoverable trace

Sensor data without exposing your OT network

No US CLOUD Act. No metadata leakage.

Run your own relay.

Simple. Free to start.

Encrypted transport
that burns itself.