An open API service indexing awesome lists of open source software.

https://github.com/apolloccrypt/paramant-relay

Post-quantum encrypted file relay. ML-KEM-768. Burn-on-read. EU/DE. NIS2/NEN7510/IEC62443 ready.
https://github.com/apolloccrypt/paramant-relay

docker encryption eu-jurisdiction file-transfer gdpr ml-kem-768 nis2 post-quantum relay self-hosted

Last synced: 3 months ago
JSON representation

Post-quantum encrypted file relay. ML-KEM-768. Burn-on-read. EU/DE. NIS2/NEN7510/IEC62443 ready.

Awesome Lists containing this project

README

          

# PARAMANT — Post-Quantum Encrypted File Relay

[![Version](https://img.shields.io/badge/version-v2.4.5-brightgreen.svg)](CHANGELOG.md)
[![License](https://img.shields.io/badge/license-BUSL--1.1-blue.svg)](LICENSE)
[![Security Audit](https://img.shields.io/badge/security-audited%20apr%202026-brightgreen.svg)](docs/security-audit-2026-04.md)
[![Relays](https://img.shields.io/badge/relays-5%20live-brightgreen.svg)](https://paramant.app/status)
[![Jurisdiction](https://img.shields.io/badge/jurisdiction-EU%2FDE%20only-blue.svg)](https://paramant.app/compliance/nis2)
[![Docker](https://img.shields.io/badge/Docker-mtty001%2Frelay-2496ED?logo=docker&logoColor=white)](https://hub.docker.com/r/mtty001/relay)

**Post-quantum encrypted file relay. Burn-on-read. EU jurisdiction. Self-hostable in 2 minutes.**

Data is encrypted client-side with ML-KEM-768 + AES-256-GCM, relayed through RAM only, and destroyed after one download. Nothing is ever written to disk. Every transfer is recorded in a public Merkle tree — proving delivery without storing content.

---

## Quick start

```bash
# 1. Clone
git clone https://github.com/Apolloccrypt/paramant-relay && cd paramant-relay

# 2. Configure
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env

# 3. Launch (6 containers: 5 sector relays + admin panel)
docker compose up -d

# 4. Verify
curl http://localhost:3001/health
# {"ok":true,"version":"2.4.5","sector":"health","edition":"community"}
```

Or on a Raspberry Pi / fresh VPS:

```bash
curl -fsSL https://paramant.app/install-pi.sh | bash
```

Or via the browser — no install:
**[Try ParaShare →](https://paramant.app/parashare)** (no account, no key needed)

**[Get a free API key →](https://paramant.app/request-key)** (email delivery, 30-second form)

---

## How it works

```
Sender Ghost Pipe Relay Receiver
------ ---------------- --------
file.pdf RAM only — no disk writes file.pdf
│ burn-on-read ▲
▼ 5 MB fixed padding │
encrypt(ML-KEM-768) ───► hash → Merkle CT log ────► decrypt(ML-KEM-768)
X-Api-Key header blob destroyed on read X-Api-Key header
```

**What the relay never sees:** plaintext, encryption keys, filenames, or recipient identity.
**What it does see:** fixed-size (5 MB) ciphertext blobs, blob hashes, API key identifiers.

---

## Use cases

### Healthcare — DICOM / HL7 FHIR (NEN 7510)

```bash
# Send MRI scan to specialist — burned after one download
python3 paramant-sender.py \
--key pgp_xxx --device mri-001 --sector health scan.dcm

# Receive and forward to PACS system
python3 paramant-receiver.py \
--key pgp_xxx --stream --forward https://pacs.hospital.nl/api

# Structured referral (HL7 FHIR R4)
paramant-referral referral.json --type fhir --from gp-001 --to cardiology-umcg
```

→ [NEN 7510 compliance](https://paramant.app/compliance/nen7510) · [DICOM setup guide](docs/dicom-guide.md)

---

### Legal & Notary — eIDAS compatible

```bash
# Send signed deed — cryptographically gone after receipt, CT log proof preserved
paramant-notary deed.pdf --sign --receipt

# Court documents with case reference
paramant-legal summons.pdf --case ROT-2026-1234 --proof
```

→ [Legal compliance](https://paramant.app/compliance/nis2)

---

### Industrial IoT — IEC 62443

```bash
# PLC telemetry — no VPN, no direct OT exposure to internet
python3 paramant-sender.py \
--heartbeat 15 --device plc-factory-01 --sector iot data.bin

# Firmware update to body cams / IoT device fleet
paramant-firmware update-v2.1.bin \
--sign --device-group bodycams.txt --version 2.1
```

→ [IEC 62443 compliance](https://paramant.app/compliance/iec62443)

---

### Finance — NIS2 / DORA

```bash
# ISO 20022 payment file relay with Merkle audit trail
python3 paramant-sender.py \
--watch /export/iso20022/ --device bank-nl-01 --sector finance

# Every transfer produces a CT log entry for DORA audit
curl https://finance.paramant.app/v2/ct -H "X-Api-Key: pgp_xxx"
```

---

### HR — GDPR-compliant payslip distribution

```bash
# Bulk payslip delivery — no email, no storage, no GDPR risk
paramant-payslip \
--bulk employees.csv --dir ./payslips/april/
```

---

### Software supply chain — EU CRA 2027

```bash
# CI/CD: sign + relay build artifacts with SBOM
paramant-cra dist/app-v1.2.tar.gz \
--sbom sbom.json --sign --registry https://registry.company.nl/api
```

---

## Sector relays

Five live relays — each tuned for its compliance domain:

| Subdomain | Sector | Port | Compliance |
|-----------|--------|------|------------|
| relay.paramant.app | General | 3000 | — |
| health.paramant.app | Healthcare | 3001 | NEN 7510, DICOM, HL7 FHIR |
| legal.paramant.app | Legal/Notary | 3003 | eIDAS, KNB |
| finance.paramant.app | Finance | 3002 | NIS2, DORA, ISO 20022 |
| iot.paramant.app | Industrial IoT | 3004 | IEC 62443, EU CRA |

All five run the same codebase — the `SECTOR` env var determines which compliance mode activates.

---

## Self-hosting

### Linux VPS (Ubuntu 22.04+ / Debian 12+)

```bash
git clone https://github.com/Apolloccrypt/paramant-relay
cd paramant-relay
cp .env.example .env
echo "ADMIN_TOKEN=$(openssl rand -hex 32)" >> .env
docker compose up -d
```

This starts 6 containers: 5 sector relays + admin panel. System nginx handles TLS.

| Container | Host port | Public URL |
|-----------|-----------|------------|
| relay-main | 127.0.0.1:3000 | relay.your-domain |
| relay-health | 127.0.0.1:3001 | health.your-domain |
| relay-finance | 127.0.0.1:3002 | finance.your-domain |
| relay-legal | 127.0.0.1:3003 | legal.your-domain |
| relay-iot | 127.0.0.1:3004 | iot.your-domain |
| admin | 127.0.0.1:4200 | your-domain/admin/ |

### Raspberry Pi (arm64)

```bash
curl -fsSL https://paramant.app/install-pi.sh | bash
# Detects Pi model, installs Docker, disables swap, prints relay URL
```

### Automated full setup (domain + TLS + sectors)

```bash
curl -fsSL https://paramant.app/install.sh | bash
# Prompts: domain, email (Let's Encrypt), admin token, sectors, license key
```

### Bootable OS (no Docker needed)

Flash [paramantOS](https://github.com/Apolloccrypt/ParamantOS) to USB — relay starts on boot.

---

## API

### Send a file

```bash
curl -X POST https://health.paramant.app/v2/inbound \
-H "X-Api-Key: pgp_your_key" \
-H "Content-Type: application/json" \
-d '{"hash":"sha256_of_payload","payload":"base64_5mb_blob","ttl_ms":3600000}'
# Returns: {"blob_hash":"sha256...","ttl":3600}
```

### Receive a file (burn-on-read)

```bash
curl https://health.paramant.app/v2/outbound/abc123... \
-H "X-Api-Key: pgp_your_key" --output received-file.bin
# Blob is destroyed immediately after this response
```

### Health check (public)

```bash
curl https://health.paramant.app/health
# {"ok":true,"version":"2.4.5","sector":"health","edition":"community"}
```

### CT log (authenticated)

```bash
curl https://health.paramant.app/v2/ct -H "X-Api-Key: pgp_your_key"
# {"size":58,"root":"deed04dd...","entries":[...]}
```

Full API reference: [docs/api.md](docs/api.md)

---

## CLI tools

All 38 `paramant-*` tools are included in [paramantOS](https://github.com/Apolloccrypt/ParamantOS) and installable via `.deb`:

```bash
curl -fsSL https://paramant.app/install-client.sh | bash
```

### Setup & diagnostics

```
paramant-help # full command reference
paramant-setup # first-time wizard (key + relay URL)
paramant-status # relay health across all sectors
paramant-doctor # automated health check
paramant-relay-setup # clone + configure + start relay
```

### Sector tools (use-case specific)

```
paramant-referral # healthcare referral (NEN 7510, HL7 FHIR, DICOM)
paramant-notary # legal document transport (eIDAS, KNB)
paramant-legal # court document relay (replaces Zivver)
paramant-payslip # HR payslip distribution (GDPR)
paramant-firmware # IoT/body cam firmware updates (IEC 62443)
paramant-cra # software supply chain relay (EU CRA 2027)
paramant-ticket # one-time transit ticket issuer/verifier
```

### Key management

```
paramant-keys # list all API keys
paramant-key-add # add new API key
paramant-key-revoke # revoke an API key
```

### Security & network

```
security-status # all security layers at a glance
paramant-ports # firewall rules + listening ports
paramant-scan # LAN relay discovery + registry
paramant-verify # TOFU fingerprint verification
```

### Data management

```
paramant-backup # backup keys + CT log
paramant-export # export audit log to USB
paramant-logs # live log stream
paramant-update # check for updates
```

---

## Python SDK

```bash
pip install paramant-sdk
```

```python
from paramant_sdk import GhostPipe

gp = GhostPipe(api_key="pgp_xxx", device="device-001", sector="health")

# Send — returns blob hash
hash_ = gp.send(open("scan.dcm", "rb").read(), ttl=3600)

# Receive — burn-on-read, returns plaintext bytes
data = gp.receive(hash_)

# Anonymous drop with 12-word mnemonic
mnemonic = gp.drop(b"sensitive data", ttl=3600)
data = gp.pickup(mnemonic)
```

---

## Security

The relay is **untrusted by design** — it never holds a decryption key.

| What a compromised relay can do | What it cannot do |
|---------------------------------|-------------------|
| Deny service | Read file contents |
| Learn transfer timing | Substitute a registered public key |
| See blob sizes (fixed 5 MB) | Decrypt any stored ciphertext |

**Crypto stack:**

| Layer | Standard |
|-------|----------|
| Key encapsulation | ML-KEM-768 · NIST FIPS 203 |
| Symmetric | AES-256-GCM · NIST SP 800-38D |
| Signatures | ML-DSA-65 · NIST FIPS 204 |
| Key derivation | HKDF-SHA256 · RFC 5869 |
| Password blobs | Argon2id · RFC 9106 |
| Crypto runtime | Rust/WASM — browser-side encryption runs in native code |
| Storage | RAM only — never written to disk |
| Padding | 5 MB fixed — all transfers look identical (DPI masking) |
| Audit log | SHA3-256 Merkle tree — tamper-evident, public |
| Infrastructure | Hetzner Frankfurt DE — EU jurisdiction only, no US CLOUD Act |
| Docker | cap_drop ALL, no-new-privileges, read-only rootfs |

**Security audits (April 2026):**

- **2026-04-13 — R. Zwarts dependency review:** 0 npm vulnerabilities. Node 20 EOL → node:22-alpine. express 4.x → 5.x. Commit [e6f216d](https://github.com/Apolloccrypt/paramant-relay/commit/e6f216d)
- **2026-04-11 — R. Zwarts verification review:** 14 findings (1 high · 8 medium · 5 low), all resolved. Commit [e6f216d](https://github.com/Apolloccrypt/paramant-relay/commit/e6f216d)
- **2026-04-10 — R. Zwarts independent audit:** 6 findings (3 high · 3 medium), all resolved. Commit [0db3ef0](https://github.com/Apolloccrypt/paramant-relay/commit/0db3ef0)
- **2026-04-08 — Ryan Williams, Smart Cyber Solutions (AU):** 4 critical · 5 high · 6 medium · 5 low. [Full report](docs/security-audit-2026-04.md)

All findings publicly documented in [SECURITY.md](SECURITY.md).

---

## Compliance

| Regulation | Status | Details |
|------------|--------|---------|
| NIS2 (EU 2022/2555) | Ready | [Compliance page](https://paramant.app/compliance/nis2) |
| NEN 7510 (Healthcare NL) | Ready* | [Compliance page](https://paramant.app/compliance/nen7510) |
| IEC 62443 (Industrial IoT) | Ready | [Compliance page](https://paramant.app/compliance/iec62443) |
| DORA (Finance EU) | Ready | NIS2 compliance covers DORA Art. 6 |
| EU CRA 2027 | Designed for | paramant-cra tool + CT log |
| GDPR Art. 28 | Ready | [Verwerkersovereenkomst](https://paramant.app/verwerkersovereenkomst) |

*NEN 7510: finding #4 (filename in transit RAM) patched in v2.4.5 — filename encrypted in relay RAM and never written to disk.

---

## Pricing

| Tier | Price | Users | Features |
|------|-------|-------|---------|
| Community | Free | Up to 5 | Full source, all sectors, self-hosted, no key required |
| Professional | €149/mo | Up to 50 | Webhooks, 24h retention, email support, `plk_` license |
| Enterprise | Custom | Unlimited | Dedicated relay, SLA 99.9%, compliance docs, TOTP MFA |

[Full pricing →](https://paramant.app/#pricing) · [Get a free API key →](https://paramant.app/request-key)

---

## Docs

| | |
|--|--|
| [docs/api.md](docs/api.md) | Full API reference — all endpoints, request/response formats |
| [docs/self-hosting.md](docs/self-hosting.md) | Docker deploy, nginx, TLS, env vars, upgrade |
| [docs/dicom-guide.md](docs/dicom-guide.md) | Healthcare sector — DICOM gateway, HL7 FHIR, NEN 7510 |
| [docs/licensing.md](docs/licensing.md) | Key types, edition limits, Ed25519 enforcement |
| [docs/security.md](docs/security.md) | Threat model, crypto stack, audit reports |
| [Apolloccrypt/ParamantOS](https://github.com/Apolloccrypt/ParamantOS) | Bootable NixOS ISO — plug in, boot, relay is live |
| [CHANGELOG.md](CHANGELOG.md) | Version history |
| [SECURITY.md](SECURITY.md) | Vulnerability reporting |

---

**Requirements:** 1 GB RAM · Ubuntu 22.04+ / Debian 12+ · Docker 24+ · swap disabled

**License:** BUSL-1.1 — source available, free for ≤ 5 active API keys per relay.

Licensor: PARAMANT | Jurisdiction: EU/DE | Contact: privacy@paramant.app