Recommended releases

Download Released

Acuity Secure Message - Send passwords and confidential documents as expiring, one-time secure links instead of emailing them.

Acuity Secure Message is a module for delivering secrets safely. Instead of putting a password or a sensitive document in an email, where it lives forever in two mailboxes and every server in between, you create a secure link. The recipient opens it, clicks Reveal, and reads the message or downloads the attachment; one-time messages are then destroyed. Everything is encrypted with a key derived from the link itself, so the site cannot read what it stores: a database and file dump together expose nothing. Built on the Acuity Secure Link engine.

Intended use

Secure Message is built for sending the odd small attachment, a document, image or PDF to a single recipient, alongside a secret. It is not a mass file-distribution or file-hosting service. Each download decrypts the whole file in memory, so a burst of large downloads happening at the same time multiplies memory use across your web server's PHP workers. On a small or shared server, too many simultaneous downloads of large files can exhaust memory and break the site. Keep the attachment size limit conservative, and only raise it if you are confident your server has the headroom for several concurrent downloads of that size.

Beta Release Notes

As a beta release, the compose form, two-step reveal, one-time destruction, email delivery, and encrypted attachments are fully functional and verified by CLI test harnesses, live HTTPS checks, and browser testing of the send → reveal → burn flow. Before deploying to production, ensure your Backdrop CMS environment is running PHP 8.0+, that a private file directory is configured (required for attachments), and clear your system caches after installation.

Features

  • Compose form: Message body, recipient reference (admin listing only — never shown to the recipient), expiry presets (1 hour / 24 hours / 7 days / 30 days), an access choice of destroy after one reveal or allow a set number of opens. The secure link is shown to copy/paste into an email, WhatsApp with an optional email delivery. Requires the create secure links permission.
  • The server cannot read your secrets: Message bodies and attachments are encrypted (AES-256-GCM) with keys derived from the link token via HKDF. Only a hash of the token is stored, the decryption key exists solely inside the recipient's URL.
  • The link is shown once: After creation the URL is displayed a single time (and optionally emailed). It cannot be recovered afterwards, not even by an administrator.
  • Scanner-safe two-step reveal: Opening the URL shows only a Reveal button. Email security scanners that prefetch links cannot burn a one-time message; only a deliberate human click reveals it.
  • Encrypted attachments: Attach a document (Word, Excel, PDF, images, DXF and more). On disk it is an anonymous numbered blob; the real filename, type, and size travel inside the encrypted payload, so nothing about the attachment is readable at rest. The plaintext upload is destroyed the moment encryption completes. The size limit is admin-configurable and defaults to a recommended maximum calculated from your server's PHP memory and upload limits (see Intended use and Configuration below).
  • Burn semantics that make sense: One-time messages without an attachment are destroyed on reveal. Attachments are single-download, an attached file is destroyed the moment it is first downloaded, so it can be saved exactly once, even on a multi-open link (the message body stays readable for the link's remaining opens; the download link simply stops working). An open is one visit to the link, revealing the message or downloading the attachment on that visit doesn't count again. When the last allowed open (or expiry) is reached the whole message is destroyed, but the link's audit row is kept in the admin listing, marked Used, showing it was opened, until an administrator deletes it.
  • Email contains the link only: Optional delivery email mentions that an attachment exists but never includes the secret, the filename, or any content.
  • Customisable notification email: The email subject and body are editable in the admin settings, with a WYSIWYG editor and placeholders (tokens) for the link, expiry, and status notes. Only non-secret placeholders exist, so a customised template can never be made to leak the secret. The body may contain HTML; see the note under Configuration about HTML delivery.
  • Automatic cleanup: Expired and revoked messages, including their attachment blobs, are purged by cron via the link engine's cleanup hook.
  • Everything the engine provides: Flood-controlled resolution, uniform 404s (expired, revoked, and never-existed are indistinguishable), no-referrer and noindex headers, revocation from the admin listing, and a full audit trail.
  • Backdrop Native: Built exclusively for Backdrop CMS using strict PHP 8.0+ standards and Backdrop APIs throughout.

Requirements

  • Backdrop CMS 1.x
  • PHP 8.0+ (While the code may technically function with PHP 7.4 at this time, we strictly require PHP 8.0+ and will not address issues related to older PHP versions.)
  • Companion modules: Acuity Secure Link and Acuity Encrypt
  • A configured private file directory (Admin → Configuration → Media → File system) for encrypted attachments

Installation

Install this module using the official Backdrop CMS instructions at https://docs.backdropcms.org/documentation/extend-with-modules

Enable the module (dependencies enable automatically), then clear your system caches to register the compose and download routes.

Configuration

  1. Grant the create secure links permission to roles that may send secure messages. It is not granted to any role by default.
  2. Go to (site URL)//secure-message/new or (site URL)//admin/config/acuity-utils/secure-message to send a message: type the secret, optionally attach a document, pick an expiry and the one-time option, and click Create secure link.
  3. Copy the link immediately — it is shown only once — or enter an email address to have it sent (the email carries the link only, never the secret).
  4. Sent messages can be reviewed, revoked, and deleted at Admin → Configuration → Acuity Utils → Secure Links, which shows whether each link has been opened and its status (Active / Used / Revoked / Expired).
  5. Optionally set a maximum attachment size at Admin → Configuration → Acuity Utils → Secure message settings. It defaults to a recommended maximum calculated from your server's PHP limits; read the on-page guidance before raising it (see Intended use).
  6. On the same settings page you can customise the notification email subject and body. Insert any placeholder from the list shown there — the clickable link, expiry date, and status notes — into the subject or body. Leaving them at their defaults reproduces the standard email.

For email delivery, the site needs a working mail handler (e.g. the SMTP module, or your server's sendmail). The notification body can contain HTML: Backdrop's built-in mail backend converts it to a readable plain-text message, while an HTML-capable mail system (for example SMTP with Mime Mail) delivers it as formatted HTML.

Issues

Bugs and feature requests should be reported in the Issue Queue: https://github.com/albanycomputers/acuity_secure_message/issues

Current Maintainer(s)

Planned Features

The following are on the roadmap but not yet implemented:

  • Multiple attachments per message.
  • Configurable extension whitelist: Admin-settable allowed file types (currently a sensible fixed list).
  • Custom expiry: A date picker alongside the presets.
  • Recipient read receipts: Optional notification to the sender when a message is revealed or downloaded.
  • Menu/dashboard integration: A "sent messages" listing for non-admin senders showing status (unopened / revealed / destroyed / expired) of their own links.

Credits

License

This project is GPL v2 or later software. See the LICENSE.txt file in this directory for complete text.