Secure Messages for Perfex CRM

Secure Messages for Perfex CRM — Zero-Knowledge encrypted link sharing

Generate encrypted, self-destructing links for passwords, credentials, API keys and confidential notes — directly inside Perfex CRM. The server never sees the plaintext. Ever.

Important: This is an add-on module for Perfex CRM. A valid Perfex CRM license is required. Perfex CRM is sold separately at CodeCanyon.

The problem this solves

Every time you send a credential through email, WhatsApp or Slack, you create a permanent, searchable record of that secret. Secure Messages eliminates that risk by giving your team a dedicated, encrypted channel inside Perfex CRM.

Zero-Knowledge Architecture

Most “secure sharing” tools encrypt data on the server — which means the service provider technically has access to your secrets. Secure Messages uses a fundamentally different approach: all encryption and decryption happens in the browser using AES-256.

The encryption key is appended to the link as a URL fragment (the part after #). Fragments are never sent to the server in HTTP requests. Your database stores only ciphertext. Even with full database access, the content is unreadable without the key — and the key lives only in the shared URL.

How it works

1. Compose your message — Paste your sensitive content (passwords, API keys, credentials). Add an internal reference label for your own bookkeeping.
2. Configure protection — Choose an expiry window (1, 3, 7 or 30 days — or never). Enable burn-after-reading. Optionally require a password before decryption.
3. Share the link — Copy and send the URL. Once the recipient reads the message, it is permanently deleted. The link in your chat history becomes a dead end.

Features

• Zero-Knowledge AES-256 encryption — Encryption key is only in the URL hash, never stored on the server
• Burn-after-reading mode — Content is deleted from the database immediately after the first view
• Time-bound expiry (1 / 3 / 7 / 30 days / never) — Automatic cleanup via Perfex cron integration
• Optional password gate — bcrypt-verified password check before decryption starts
• Company branding on public view — Display your logo instead of the default icon
• Admin overview with DataTable — All active links in one sortable, filterable table with one-click delete
• Global defaults in Settings panel — Set default expiry, burn mode and password for your whole team
• Perfex native role permissions — View, create and delete capabilities per staff role
• Internal reference / label field — For your own administration, clearly disclosed in the UI
• SEO-safe public view — Public pages carry noindex, nofollow, noarchive meta tags
• 32-character random link identifier — Not guessable, not sequential
• 22+ included languages — Full translation files for admin and public views
• No external SaaS dependency — Runs entirely on your own server
• Clean install / uninstall — Single-table schema (tbl_secure_messages), clean uninstall removes all data

Who uses this

• Web agencies and IT service providers — Share hosting credentials and server access with clients securely
• Accounting and finance firms — Deliver credentials without leaving a paper trail in email
• Software development teams — Distribute API keys and environment secrets without polluting Slack history
• Legal and compliance teams — Share access data with counterparties in a way that automatically expires
• Healthcare and HR departments — Transmit sensitive personal data in a GDPR-conscious way

Frequently asked questions

Can the server administrator read the encrypted messages?

No. The encryption key is only in the URL fragment (#). HTTP clients never send the fragment to the server, so the key is never transmitted or stored. The database contains only AES-256 ciphertext — unreadable without the URL.

What happens if the recipient opens the link but doesn’t click “Show Message”?

Nothing. The message is only destroyed when the recipient actively clicks the button. Simply opening the URL does not trigger deletion — so accidental link previews from messaging apps will not prematurely destroy the content.

Can I recover a message after it has been burned or expired?

No. Deletion is permanent. Because the key was never stored server-side, there is no recovery path. This is by design.

Does this work with Perfex multi-staff setups?

Yes. Uses Perfex’s native capabilities system. View, create and delete permissions are assignable per role independently.

Is this GDPR-compliant for sharing personal data?

The module significantly reduces data exposure risks because plaintext is never stored and messages self-destruct. GDPR compliance depends on your broader data processing context — consult your legal advisor for your specific situation.

Technical requirements

• Perfex CRM: 2.3.2 or higher
• PHP: 7.4 or higher (bcrypt support required)
• MySQL: 5.7+ / MariaDB 10.3+
• Browser: Any modern browser with ES6+ support (Chrome, Firefox, Safari, Edge)
• External dependency: CryptoJS 4.1.1 (loaded from Cloudflare CDN)
• Cron job: Perfex cron must be active for automatic expiry cleanup

This module uses only one new database table and does not modify any existing Perfex tables or core files.

Changelog

v1.1.0 (07-04-2026)

• Add PHPDoc comments across Secure Messages module for improved code clarity and maintainability
• Don’t load assets from CDN
• All JavaScript should be written with “use strict” mode on.
• No inline scripts or styles unless dynamic.

v1.0.0 — Initial release (01-04-2026)

Full Zero-Knowledge AES-256 encryption, burn-after-reading, time-bound expiry, optional bcrypt password gate, company logo support, admin DataTable overview, global settings, Perfex role-based permissions, automatic cron cleanup, 22+ language files, clean install and uninstall scripts.