{"id":48833567,"url":"https://github.com/apolloccrypt/paramant-relay","last_synced_at":"2026-04-14T22:02:12.644Z","repository":{"id":346728512,"uuid":"1191328434","full_name":"Apolloccrypt/paramant-relay","owner":"Apolloccrypt","description":"Post-quantum encrypted file relay. ML-KEM-768. Burn-on-read. EU/DE. NIS2/NEN7510/IEC62443 ready.","archived":false,"fork":false,"pushed_at":"2026-04-14T20:20:35.000Z","size":2878,"stargazers_count":17,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-14T20:27:57.387Z","etag":null,"topics":["docker","encryption","eu-jurisdiction","file-transfer","gdpr","ml-kem-768","nis2","post-quantum","relay","self-hosted"],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Apolloccrypt.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"custom":["https://paramant.app/pricing"]}},"created_at":"2026-03-25T06:10:12.000Z","updated_at":"2026-04-14T20:20:39.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Apolloccrypt/paramant-relay","commit_stats":null,"previous_names":["apolloccrypt/paramant-relay"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/Apolloccrypt/paramant-relay","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Apolloccrypt%2Fparamant-relay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Apolloccrypt%2Fparamant-relay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Apolloccrypt%2Fparamant-relay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Apolloccrypt%2Fparamant-relay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Apolloccrypt","download_url":"https://codeload.github.com/Apolloccrypt/paramant-relay/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Apolloccrypt%2Fparamant-relay/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31817128,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"ssl_error","status_checked_at":"2026-04-14T18:05:01.765Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","encryption","eu-jurisdiction","file-transfer","gdpr","ml-kem-768","nis2","post-quantum","relay","self-hosted"],"created_at":"2026-04-14T22:02:10.906Z","updated_at":"2026-04-14T22:02:12.629Z","avatar_url":"https://github.com/Apolloccrypt.png","language":"HTML","funding_links":["https://paramant.app/pricing"],"categories":[],"sub_categories":[],"readme":"# PARAMANT — Post-Quantum Encrypted File Relay\n\n[![Version](https://img.shields.io/badge/version-v2.4.5-brightgreen.svg)](CHANGELOG.md)\n[![License](https://img.shields.io/badge/license-BUSL--1.1-blue.svg)](LICENSE)\n[![Security Audit](https://img.shields.io/badge/security-audited%20apr%202026-brightgreen.svg)](docs/security-audit-2026-04.md)\n[![Relays](https://img.shields.io/badge/relays-5%20live-brightgreen.svg)](https://paramant.app/status)\n[![Jurisdiction](https://img.shields.io/badge/jurisdiction-EU%2FDE%20only-blue.svg)](https://paramant.app/compliance/nis2)\n[![Docker](https://img.shields.io/badge/Docker-mtty001%2Frelay-2496ED?logo=docker\u0026logoColor=white)](https://hub.docker.com/r/mtty001/relay)\n\n**Post-quantum encrypted file relay. Burn-on-read. EU jurisdiction. Self-hostable in 2 minutes.**\n\nData is encrypted client-side with ML-KEM-768 + AES-256-GCM, relayed through RAM only, and destroyed after one download. Nothing is ever written to disk. Every transfer is recorded in a public Merkle tree — proving delivery without storing content.\n\n---\n\n## Quick start\n\n```bash\n# 1. Clone\ngit clone https://github.com/Apolloccrypt/paramant-relay \u0026\u0026 cd paramant-relay\n\n# 2. Configure\ncp .env.example .env\necho \"ADMIN_TOKEN=$(openssl rand -hex 32)\" \u003e\u003e .env\n\n# 3. Launch (6 containers: 5 sector relays + admin panel)\ndocker compose up -d\n\n# 4. Verify\ncurl http://localhost:3001/health\n# {\"ok\":true,\"version\":\"2.4.5\",\"sector\":\"health\",\"edition\":\"community\"}\n```\n\nOr on a Raspberry Pi / fresh VPS:\n\n```bash\ncurl -fsSL https://paramant.app/install-pi.sh | bash\n```\n\nOr via the browser — no install:\n**[Try ParaShare →](https://paramant.app/parashare)** (no account, no key needed)\n\n**[Get a free API key →](https://paramant.app/request-key)** (email delivery, 30-second form)\n\n---\n\n## How it works\n\n```\nSender                     Ghost Pipe Relay               Receiver\n------                     ----------------               --------\nfile.pdf                   RAM only — no disk writes      file.pdf\n  │                        burn-on-read                     ▲\n  ▼                        5 MB fixed padding               │\nencrypt(ML-KEM-768)  ───►  hash → Merkle CT log  ────►  decrypt(ML-KEM-768)\nX-Api-Key header           blob destroyed on read          X-Api-Key header\n```\n\n**What the relay never sees:** plaintext, encryption keys, filenames, or recipient identity.  \n**What it does see:** fixed-size (5 MB) ciphertext blobs, blob hashes, API key identifiers.\n\n---\n\n## Use cases\n\n### Healthcare — DICOM / HL7 FHIR (NEN 7510)\n\n```bash\n# Send MRI scan to specialist — burned after one download\npython3 paramant-sender.py \\\n  --key pgp_xxx --device mri-001 --sector health scan.dcm\n\n# Receive and forward to PACS system\npython3 paramant-receiver.py \\\n  --key pgp_xxx --stream --forward https://pacs.hospital.nl/api\n\n# Structured referral (HL7 FHIR R4)\nparamant-referral referral.json --type fhir --from gp-001 --to cardiology-umcg\n```\n\n→ [NEN 7510 compliance](https://paramant.app/compliance/nen7510) · [DICOM setup guide](docs/dicom-guide.md)\n\n---\n\n### Legal \u0026 Notary — eIDAS compatible\n\n```bash\n# Send signed deed — cryptographically gone after receipt, CT log proof preserved\nparamant-notary deed.pdf --sign --receipt\n\n# Court documents with case reference\nparamant-legal summons.pdf --case ROT-2026-1234 --proof\n```\n\n→ [Legal compliance](https://paramant.app/compliance/nis2)\n\n---\n\n### Industrial IoT — IEC 62443\n\n```bash\n# PLC telemetry — no VPN, no direct OT exposure to internet\npython3 paramant-sender.py \\\n  --heartbeat 15 --device plc-factory-01 --sector iot data.bin\n\n# Firmware update to body cams / IoT device fleet\nparamant-firmware update-v2.1.bin \\\n  --sign --device-group bodycams.txt --version 2.1\n```\n\n→ [IEC 62443 compliance](https://paramant.app/compliance/iec62443)\n\n---\n\n### Finance — NIS2 / DORA\n\n```bash\n# ISO 20022 payment file relay with Merkle audit trail\npython3 paramant-sender.py \\\n  --watch /export/iso20022/ --device bank-nl-01 --sector finance\n\n# Every transfer produces a CT log entry for DORA audit\ncurl https://finance.paramant.app/v2/ct -H \"X-Api-Key: pgp_xxx\"\n```\n\n---\n\n### HR — GDPR-compliant payslip distribution\n\n```bash\n# Bulk payslip delivery — no email, no storage, no GDPR risk\nparamant-payslip \\\n  --bulk employees.csv --dir ./payslips/april/\n```\n\n---\n\n### Software supply chain — EU CRA 2027\n\n```bash\n# CI/CD: sign + relay build artifacts with SBOM\nparamant-cra dist/app-v1.2.tar.gz \\\n  --sbom sbom.json --sign --registry https://registry.company.nl/api\n```\n\n---\n\n## Sector relays\n\nFive live relays — each tuned for its compliance domain:\n\n| Subdomain | Sector | Port | Compliance |\n|-----------|--------|------|------------|\n| relay.paramant.app | General | 3000 | — |\n| health.paramant.app | Healthcare | 3001 | NEN 7510, DICOM, HL7 FHIR |\n| legal.paramant.app | Legal/Notary | 3003 | eIDAS, KNB |\n| finance.paramant.app | Finance | 3002 | NIS2, DORA, ISO 20022 |\n| iot.paramant.app | Industrial IoT | 3004 | IEC 62443, EU CRA |\n\nAll five run the same codebase — the `SECTOR` env var determines which compliance mode activates.\n\n---\n\n## Self-hosting\n\n### Linux VPS (Ubuntu 22.04+ / Debian 12+)\n\n```bash\ngit clone https://github.com/Apolloccrypt/paramant-relay\ncd paramant-relay\ncp .env.example .env\necho \"ADMIN_TOKEN=$(openssl rand -hex 32)\" \u003e\u003e .env\ndocker compose up -d\n```\n\nThis starts 6 containers: 5 sector relays + admin panel. System nginx handles TLS.\n\n| Container | Host port | Public URL |\n|-----------|-----------|------------|\n| relay-main | 127.0.0.1:3000 | relay.your-domain |\n| relay-health | 127.0.0.1:3001 | health.your-domain |\n| relay-finance | 127.0.0.1:3002 | finance.your-domain |\n| relay-legal | 127.0.0.1:3003 | legal.your-domain |\n| relay-iot | 127.0.0.1:3004 | iot.your-domain |\n| admin | 127.0.0.1:4200 | your-domain/admin/ |\n\n### Raspberry Pi (arm64)\n\n```bash\ncurl -fsSL https://paramant.app/install-pi.sh | bash\n# Detects Pi model, installs Docker, disables swap, prints relay URL\n```\n\n### Automated full setup (domain + TLS + sectors)\n\n```bash\ncurl -fsSL https://paramant.app/install.sh | bash\n# Prompts: domain, email (Let's Encrypt), admin token, sectors, license key\n```\n\n### Bootable OS (no Docker needed)\n\nFlash [paramantOS](https://github.com/Apolloccrypt/ParamantOS) to USB — relay starts on boot.\n\n---\n\n## API\n\n### Send a file\n\n```bash\ncurl -X POST https://health.paramant.app/v2/inbound \\\n  -H \"X-Api-Key: pgp_your_key\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"hash\":\"sha256_of_payload\",\"payload\":\"base64_5mb_blob\",\"ttl_ms\":3600000}'\n# Returns: {\"blob_hash\":\"sha256...\",\"ttl\":3600}\n```\n\n### Receive a file (burn-on-read)\n\n```bash\ncurl https://health.paramant.app/v2/outbound/abc123... \\\n  -H \"X-Api-Key: pgp_your_key\" --output received-file.bin\n# Blob is destroyed immediately after this response\n```\n\n### Health check (public)\n\n```bash\ncurl https://health.paramant.app/health\n# {\"ok\":true,\"version\":\"2.4.5\",\"sector\":\"health\",\"edition\":\"community\"}\n```\n\n### CT log (authenticated)\n\n```bash\ncurl https://health.paramant.app/v2/ct -H \"X-Api-Key: pgp_your_key\"\n# {\"size\":58,\"root\":\"deed04dd...\",\"entries\":[...]}\n```\n\nFull API reference: [docs/api.md](docs/api.md)\n\n---\n\n## CLI tools\n\nAll 38 `paramant-*` tools are included in [paramantOS](https://github.com/Apolloccrypt/ParamantOS) and installable via `.deb`:\n\n```bash\ncurl -fsSL https://paramant.app/install-client.sh | bash\n```\n\n### Setup \u0026 diagnostics\n\n```\nparamant-help              # full command reference\nparamant-setup             # first-time wizard (key + relay URL)\nparamant-status            # relay health across all sectors\nparamant-doctor            # automated health check\nparamant-relay-setup       # clone + configure + start relay\n```\n\n### Sector tools (use-case specific)\n\n```\nparamant-referral          # healthcare referral (NEN 7510, HL7 FHIR, DICOM)\nparamant-notary            # legal document transport (eIDAS, KNB)\nparamant-legal             # court document relay (replaces Zivver)\nparamant-payslip           # HR payslip distribution (GDPR)\nparamant-firmware          # IoT/body cam firmware updates (IEC 62443)\nparamant-cra               # software supply chain relay (EU CRA 2027)\nparamant-ticket            # one-time transit ticket issuer/verifier\n```\n\n### Key management\n\n```\nparamant-keys              # list all API keys\nparamant-key-add           # add new API key\nparamant-key-revoke        # revoke an API key\n```\n\n### Security \u0026 network\n\n```\nsecurity-status            # all security layers at a glance\nparamant-ports             # firewall rules + listening ports\nparamant-scan              # LAN relay discovery + registry\nparamant-verify            # TOFU fingerprint verification\n```\n\n### Data management\n\n```\nparamant-backup            # backup keys + CT log\nparamant-export            # export audit log to USB\nparamant-logs              # live log stream\nparamant-update            # check for updates\n```\n\n---\n\n## Python SDK\n\n```bash\npip install paramant-sdk\n```\n\n```python\nfrom paramant_sdk import GhostPipe\n\ngp = GhostPipe(api_key=\"pgp_xxx\", device=\"device-001\", sector=\"health\")\n\n# Send — returns blob hash\nhash_ = gp.send(open(\"scan.dcm\", \"rb\").read(), ttl=3600)\n\n# Receive — burn-on-read, returns plaintext bytes\ndata = gp.receive(hash_)\n\n# Anonymous drop with 12-word mnemonic\nmnemonic = gp.drop(b\"sensitive data\", ttl=3600)\ndata     = gp.pickup(mnemonic)\n```\n\n---\n\n## Security\n\nThe relay is **untrusted by design** — it never holds a decryption key.\n\n| What a compromised relay can do | What it cannot do |\n|---------------------------------|-------------------|\n| Deny service | Read file contents |\n| Learn transfer timing | Substitute a registered public key |\n| See blob sizes (fixed 5 MB) | Decrypt any stored ciphertext |\n\n**Crypto stack:**\n\n| Layer | Standard |\n|-------|----------|\n| Key encapsulation | ML-KEM-768 · NIST FIPS 203 |\n| Symmetric | AES-256-GCM · NIST SP 800-38D |\n| Signatures | ML-DSA-65 · NIST FIPS 204 |\n| Key derivation | HKDF-SHA256 · RFC 5869 |\n| Password blobs | Argon2id · RFC 9106 |\n| Crypto runtime | Rust/WASM — browser-side encryption runs in native code |\n| Storage | RAM only — never written to disk |\n| Padding | 5 MB fixed — all transfers look identical (DPI masking) |\n| Audit log | SHA3-256 Merkle tree — tamper-evident, public |\n| Infrastructure | Hetzner Frankfurt DE — EU jurisdiction only, no US CLOUD Act |\n| Docker | cap_drop ALL, no-new-privileges, read-only rootfs |\n\n**Security audits (April 2026):**\n\n- **2026-04-13 — R. Zwarts dependency review:** 0 npm vulnerabilities. Node 20 EOL → node:22-alpine. express 4.x → 5.x. Commit [e6f216d](https://github.com/Apolloccrypt/paramant-relay/commit/e6f216d)\n- **2026-04-11 — R. Zwarts verification review:** 14 findings (1 high · 8 medium · 5 low), all resolved. Commit [e6f216d](https://github.com/Apolloccrypt/paramant-relay/commit/e6f216d)\n- **2026-04-10 — R. Zwarts independent audit:** 6 findings (3 high · 3 medium), all resolved. Commit [0db3ef0](https://github.com/Apolloccrypt/paramant-relay/commit/0db3ef0)\n- **2026-04-08 — Ryan Williams, Smart Cyber Solutions (AU):** 4 critical · 5 high · 6 medium · 5 low. [Full report](docs/security-audit-2026-04.md)\n\nAll findings publicly documented in [SECURITY.md](SECURITY.md).\n\n---\n\n## Compliance\n\n| Regulation | Status | Details |\n|------------|--------|---------|\n| NIS2 (EU 2022/2555) | Ready | [Compliance page](https://paramant.app/compliance/nis2) |\n| NEN 7510 (Healthcare NL) | Ready* | [Compliance page](https://paramant.app/compliance/nen7510) |\n| IEC 62443 (Industrial IoT) | Ready | [Compliance page](https://paramant.app/compliance/iec62443) |\n| DORA (Finance EU) | Ready | NIS2 compliance covers DORA Art. 6 |\n| EU CRA 2027 | Designed for | paramant-cra tool + CT log |\n| GDPR Art. 28 | Ready | [Verwerkersovereenkomst](https://paramant.app/verwerkersovereenkomst) |\n\n*NEN 7510: finding #4 (filename in transit RAM) patched in v2.4.5 — filename encrypted in relay RAM and never written to disk.\n\n---\n\n## Pricing\n\n| Tier | Price | Users | Features |\n|------|-------|-------|---------|\n| Community | Free | Up to 5 | Full source, all sectors, self-hosted, no key required |\n| Professional | €149/mo | Up to 50 | Webhooks, 24h retention, email support, `plk_` license |\n| Enterprise | Custom | Unlimited | Dedicated relay, SLA 99.9%, compliance docs, TOTP MFA |\n\n[Full pricing →](https://paramant.app/#pricing) · [Get a free API key →](https://paramant.app/request-key)\n\n---\n\n## Docs\n\n| | |\n|--|--|\n| [docs/api.md](docs/api.md) | Full API reference — all endpoints, request/response formats |\n| [docs/self-hosting.md](docs/self-hosting.md) | Docker deploy, nginx, TLS, env vars, upgrade |\n| [docs/dicom-guide.md](docs/dicom-guide.md) | Healthcare sector — DICOM gateway, HL7 FHIR, NEN 7510 |\n| [docs/licensing.md](docs/licensing.md) | Key types, edition limits, Ed25519 enforcement |\n| [docs/security.md](docs/security.md) | Threat model, crypto stack, audit reports |\n| [Apolloccrypt/ParamantOS](https://github.com/Apolloccrypt/ParamantOS) | Bootable NixOS ISO — plug in, boot, relay is live |\n| [CHANGELOG.md](CHANGELOG.md) | Version history |\n| [SECURITY.md](SECURITY.md) | Vulnerability reporting |\n\n---\n\n**Requirements:** 1 GB RAM · Ubuntu 22.04+ / Debian 12+ · Docker 24+ · swap disabled\n\n**License:** BUSL-1.1 — source available, free for ≤ 5 active API keys per relay.\n\nLicensor: PARAMANT | Jurisdiction: EU/DE | Contact: privacy@paramant.app\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapolloccrypt%2Fparamant-relay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapolloccrypt%2Fparamant-relay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapolloccrypt%2Fparamant-relay/lists"}