https://github.com/apolloccrypt/paramant-relay
Post-quantum encrypted file relay. ML-KEM-768. Burn-on-read. EU/DE. NIS2/NEN7510/IEC62443 ready.
https://github.com/apolloccrypt/paramant-relay
docker encryption eu-jurisdiction file-transfer gdpr ml-kem-768 nis2 post-quantum relay self-hosted
Last synced: 3 months ago
JSON representation
Post-quantum encrypted file relay. ML-KEM-768. Burn-on-read. EU/DE. NIS2/NEN7510/IEC62443 ready.
- Host: GitHub
- URL: https://github.com/apolloccrypt/paramant-relay
- Owner: Apolloccrypt
- License: other
- Created: 2026-03-25T06:10:12.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-14T20:20:35.000Z (3 months ago)
- Last Synced: 2026-04-14T20:27:57.387Z (3 months ago)
- Topics: docker, encryption, eu-jurisdiction, file-transfer, gdpr, ml-kem-768, nis2, post-quantum, relay, self-hosted
- Language: HTML
- Size: 2.74 MB
- Stars: 17
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# PARAMANT — Post-Quantum Encrypted File Relay
[](CHANGELOG.md)
[](LICENSE)
[](docs/security-audit-2026-04.md)
[](https://paramant.app/status)
[](https://paramant.app/compliance/nis2)
[](https://hub.docker.com/r/mtty001/relay)
**Post-quantum encrypted file relay. Burn-on-read. EU jurisdiction. Self-hostable in 2 minutes.**
Data is encrypted client-side with ML-KEM-768 + AES-256-GCM, relayed through RAM only, and destroyed after one download. Nothing is ever written to disk. Every transfer is recorded in a public Merkle tree — proving delivery without storing content.
---
## Quick start
```bash
# 1. Clone
git clone https://github.com/Apolloccrypt/paramant-relay && cd paramant-relay
# 2. Configure
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env
# 3. Launch (6 containers: 5 sector relays + admin panel)
docker compose up -d
# 4. Verify
curl http://localhost:3001/health
# {"ok":true,"version":"2.4.5","sector":"health","edition":"community"}
```
Or on a Raspberry Pi / fresh VPS:
```bash
curl -fsSL https://paramant.app/install-pi.sh | bash
```
Or via the browser — no install:
**[Try ParaShare →](https://paramant.app/parashare)** (no account, no key needed)
**[Get a free API key →](https://paramant.app/request-key)** (email delivery, 30-second form)
---
## How it works
```
Sender Ghost Pipe Relay Receiver
------ ---------------- --------
file.pdf RAM only — no disk writes file.pdf
│ burn-on-read ▲
▼ 5 MB fixed padding │
encrypt(ML-KEM-768) ───► hash → Merkle CT log ────► decrypt(ML-KEM-768)
X-Api-Key header blob destroyed on read X-Api-Key header
```
**What the relay never sees:** plaintext, encryption keys, filenames, or recipient identity.
**What it does see:** fixed-size (5 MB) ciphertext blobs, blob hashes, API key identifiers.
---
## Use cases
### Healthcare — DICOM / HL7 FHIR (NEN 7510)
```bash
# Send MRI scan to specialist — burned after one download
python3 paramant-sender.py \
--key pgp_xxx --device mri-001 --sector health scan.dcm
# Receive and forward to PACS system
python3 paramant-receiver.py \
--key pgp_xxx --stream --forward https://pacs.hospital.nl/api
# Structured referral (HL7 FHIR R4)
paramant-referral referral.json --type fhir --from gp-001 --to cardiology-umcg
```
→ [NEN 7510 compliance](https://paramant.app/compliance/nen7510) · [DICOM setup guide](docs/dicom-guide.md)
---
### Legal & Notary — eIDAS compatible
```bash
# Send signed deed — cryptographically gone after receipt, CT log proof preserved
paramant-notary deed.pdf --sign --receipt
# Court documents with case reference
paramant-legal summons.pdf --case ROT-2026-1234 --proof
```
→ [Legal compliance](https://paramant.app/compliance/nis2)
---
### Industrial IoT — IEC 62443
```bash
# PLC telemetry — no VPN, no direct OT exposure to internet
python3 paramant-sender.py \
--heartbeat 15 --device plc-factory-01 --sector iot data.bin
# Firmware update to body cams / IoT device fleet
paramant-firmware update-v2.1.bin \
--sign --device-group bodycams.txt --version 2.1
```
→ [IEC 62443 compliance](https://paramant.app/compliance/iec62443)
---
### Finance — NIS2 / DORA
```bash
# ISO 20022 payment file relay with Merkle audit trail
python3 paramant-sender.py \
--watch /export/iso20022/ --device bank-nl-01 --sector finance
# Every transfer produces a CT log entry for DORA audit
curl https://finance.paramant.app/v2/ct -H "X-Api-Key: pgp_xxx"
```
---
### HR — GDPR-compliant payslip distribution
```bash
# Bulk payslip delivery — no email, no storage, no GDPR risk
paramant-payslip \
--bulk employees.csv --dir ./payslips/april/
```
---
### Software supply chain — EU CRA 2027
```bash
# CI/CD: sign + relay build artifacts with SBOM
paramant-cra dist/app-v1.2.tar.gz \
--sbom sbom.json --sign --registry https://registry.company.nl/api
```
---
## Sector relays
Five live relays — each tuned for its compliance domain:
| Subdomain | Sector | Port | Compliance |
|-----------|--------|------|------------|
| relay.paramant.app | General | 3000 | — |
| health.paramant.app | Healthcare | 3001 | NEN 7510, DICOM, HL7 FHIR |
| legal.paramant.app | Legal/Notary | 3003 | eIDAS, KNB |
| finance.paramant.app | Finance | 3002 | NIS2, DORA, ISO 20022 |
| iot.paramant.app | Industrial IoT | 3004 | IEC 62443, EU CRA |
All five run the same codebase — the `SECTOR` env var determines which compliance mode activates.
---
## Self-hosting
### Linux VPS (Ubuntu 22.04+ / Debian 12+)
```bash
git clone https://github.com/Apolloccrypt/paramant-relay
cd paramant-relay
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env
docker compose up -d
```
This starts 6 containers: 5 sector relays + admin panel. System nginx handles TLS.
| Container | Host port | Public URL |
|-----------|-----------|------------|
| relay-main | 127.0.0.1:3000 | relay.your-domain |
| relay-health | 127.0.0.1:3001 | health.your-domain |
| relay-finance | 127.0.0.1:3002 | finance.your-domain |
| relay-legal | 127.0.0.1:3003 | legal.your-domain |
| relay-iot | 127.0.0.1:3004 | iot.your-domain |
| admin | 127.0.0.1:4200 | your-domain/admin/ |
### Raspberry Pi (arm64)
```bash
curl -fsSL https://paramant.app/install-pi.sh | bash
# Detects Pi model, installs Docker, disables swap, prints relay URL
```
### Automated full setup (domain + TLS + sectors)
```bash
curl -fsSL https://paramant.app/install.sh | bash
# Prompts: domain, email (Let's Encrypt), admin token, sectors, license key
```
### Bootable OS (no Docker needed)
Flash [paramantOS](https://github.com/Apolloccrypt/ParamantOS) to USB — relay starts on boot.
---
## API
### Send a file
```bash
curl -X POST https://health.paramant.app/v2/inbound \
-H "X-Api-Key: pgp_your_key" \
-H "Content-Type: application/json" \
-d '{"hash":"sha256_of_payload","payload":"base64_5mb_blob","ttl_ms":3600000}'
# Returns: {"blob_hash":"sha256...","ttl":3600}
```
### Receive a file (burn-on-read)
```bash
curl https://health.paramant.app/v2/outbound/abc123... \
-H "X-Api-Key: pgp_your_key" --output received-file.bin
# Blob is destroyed immediately after this response
```
### Health check (public)
```bash
curl https://health.paramant.app/health
# {"ok":true,"version":"2.4.5","sector":"health","edition":"community"}
```
### CT log (authenticated)
```bash
curl https://health.paramant.app/v2/ct -H "X-Api-Key: pgp_your_key"
# {"size":58,"root":"deed04dd...","entries":[...]}
```
Full API reference: [docs/api.md](docs/api.md)
---
## CLI tools
All 38 `paramant-*` tools are included in [paramantOS](https://github.com/Apolloccrypt/ParamantOS) and installable via `.deb`:
```bash
curl -fsSL https://paramant.app/install-client.sh | bash
```
### Setup & diagnostics
```
paramant-help # full command reference
paramant-setup # first-time wizard (key + relay URL)
paramant-status # relay health across all sectors
paramant-doctor # automated health check
paramant-relay-setup # clone + configure + start relay
```
### Sector tools (use-case specific)
```
paramant-referral # healthcare referral (NEN 7510, HL7 FHIR, DICOM)
paramant-notary # legal document transport (eIDAS, KNB)
paramant-legal # court document relay (replaces Zivver)
paramant-payslip # HR payslip distribution (GDPR)
paramant-firmware # IoT/body cam firmware updates (IEC 62443)
paramant-cra # software supply chain relay (EU CRA 2027)
paramant-ticket # one-time transit ticket issuer/verifier
```
### Key management
```
paramant-keys # list all API keys
paramant-key-add # add new API key
paramant-key-revoke # revoke an API key
```
### Security & network
```
security-status # all security layers at a glance
paramant-ports # firewall rules + listening ports
paramant-scan # LAN relay discovery + registry
paramant-verify # TOFU fingerprint verification
```
### Data management
```
paramant-backup # backup keys + CT log
paramant-export # export audit log to USB
paramant-logs # live log stream
paramant-update # check for updates
```
---
## Python SDK
```bash
pip install paramant-sdk
```
```python
from paramant_sdk import GhostPipe
gp = GhostPipe(api_key="pgp_xxx", device="device-001", sector="health")
# Send — returns blob hash
hash_ = gp.send(open("scan.dcm", "rb").read(), ttl=3600)
# Receive — burn-on-read, returns plaintext bytes
data = gp.receive(hash_)
# Anonymous drop with 12-word mnemonic
mnemonic = gp.drop(b"sensitive data", ttl=3600)
data = gp.pickup(mnemonic)
```
---
## Security
The relay is **untrusted by design** — it never holds a decryption key.
| What a compromised relay can do | What it cannot do |
|---------------------------------|-------------------|
| Deny service | Read file contents |
| Learn transfer timing | Substitute a registered public key |
| See blob sizes (fixed 5 MB) | Decrypt any stored ciphertext |
**Crypto stack:**
| Layer | Standard |
|-------|----------|
| Key encapsulation | ML-KEM-768 · NIST FIPS 203 |
| Symmetric | AES-256-GCM · NIST SP 800-38D |
| Signatures | ML-DSA-65 · NIST FIPS 204 |
| Key derivation | HKDF-SHA256 · RFC 5869 |
| Password blobs | Argon2id · RFC 9106 |
| Crypto runtime | Rust/WASM — browser-side encryption runs in native code |
| Storage | RAM only — never written to disk |
| Padding | 5 MB fixed — all transfers look identical (DPI masking) |
| Audit log | SHA3-256 Merkle tree — tamper-evident, public |
| Infrastructure | Hetzner Frankfurt DE — EU jurisdiction only, no US CLOUD Act |
| Docker | cap_drop ALL, no-new-privileges, read-only rootfs |
**Security audits (April 2026):**
- **2026-04-13 — R. Zwarts dependency review:** 0 npm vulnerabilities. Node 20 EOL → node:22-alpine. express 4.x → 5.x. Commit [e6f216d](https://github.com/Apolloccrypt/paramant-relay/commit/e6f216d)
- **2026-04-11 — R. Zwarts verification review:** 14 findings (1 high · 8 medium · 5 low), all resolved. Commit [e6f216d](https://github.com/Apolloccrypt/paramant-relay/commit/e6f216d)
- **2026-04-10 — R. Zwarts independent audit:** 6 findings (3 high · 3 medium), all resolved. Commit [0db3ef0](https://github.com/Apolloccrypt/paramant-relay/commit/0db3ef0)
- **2026-04-08 — Ryan Williams, Smart Cyber Solutions (AU):** 4 critical · 5 high · 6 medium · 5 low. [Full report](docs/security-audit-2026-04.md)
All findings publicly documented in [SECURITY.md](SECURITY.md).
---
## Compliance
| Regulation | Status | Details |
|------------|--------|---------|
| NIS2 (EU 2022/2555) | Ready | [Compliance page](https://paramant.app/compliance/nis2) |
| NEN 7510 (Healthcare NL) | Ready* | [Compliance page](https://paramant.app/compliance/nen7510) |
| IEC 62443 (Industrial IoT) | Ready | [Compliance page](https://paramant.app/compliance/iec62443) |
| DORA (Finance EU) | Ready | NIS2 compliance covers DORA Art. 6 |
| EU CRA 2027 | Designed for | paramant-cra tool + CT log |
| GDPR Art. 28 | Ready | [Verwerkersovereenkomst](https://paramant.app/verwerkersovereenkomst) |
*NEN 7510: finding #4 (filename in transit RAM) patched in v2.4.5 — filename encrypted in relay RAM and never written to disk.
---
## Pricing
| Tier | Price | Users | Features |
|------|-------|-------|---------|
| Community | Free | Up to 5 | Full source, all sectors, self-hosted, no key required |
| Professional | €149/mo | Up to 50 | Webhooks, 24h retention, email support, `plk_` license |
| Enterprise | Custom | Unlimited | Dedicated relay, SLA 99.9%, compliance docs, TOTP MFA |
[Full pricing →](https://paramant.app/#pricing) · [Get a free API key →](https://paramant.app/request-key)
---
## Docs
| | |
|--|--|
| [docs/api.md](docs/api.md) | Full API reference — all endpoints, request/response formats |
| [docs/self-hosting.md](docs/self-hosting.md) | Docker deploy, nginx, TLS, env vars, upgrade |
| [docs/dicom-guide.md](docs/dicom-guide.md) | Healthcare sector — DICOM gateway, HL7 FHIR, NEN 7510 |
| [docs/licensing.md](docs/licensing.md) | Key types, edition limits, Ed25519 enforcement |
| [docs/security.md](docs/security.md) | Threat model, crypto stack, audit reports |
| [Apolloccrypt/ParamantOS](https://github.com/Apolloccrypt/ParamantOS) | Bootable NixOS ISO — plug in, boot, relay is live |
| [CHANGELOG.md](CHANGELOG.md) | Version history |
| [SECURITY.md](SECURITY.md) | Vulnerability reporting |
---
**Requirements:** 1 GB RAM · Ubuntu 22.04+ / Debian 12+ · Docker 24+ · swap disabled
**License:** BUSL-1.1 — source available, free for ≤ 5 active API keys per relay.
Licensor: PARAMANT | Jurisdiction: EU/DE | Contact: privacy@paramant.app