matrixswarm

How a Secure Message is Processed in MatrixSwarm

By matrixswarm
July 28, 2025 AT 06:30 AM (updated: 6 days ago)

This guide explains the end-to-end encrypted journey of a message, from a visitor on your website to a notification for your team. This process ensures that a submitted message is never stored in plaintext on the web server, providing a high level of security. Overview Front-End: A standard PHP web application. Back-End: The Python-based MatrixSwarm. Encryption: Hybrid RSA + AES-GCM. Result: A secure, automated pipeline for handling external communications.

Step 1: A Visitor Submits the Contact Form

The process begins when a guest visits your website and fills out the contact form with their name, email, and message.

Step 2: The Web Server Encrypts the Message

Once the form is submitted, the PHP script on your web server takes over. It does not save the message directly. Instead, it performs a two-layer encryption process: It generates a secure, one-time-use AES-256 key. It uses this AES key to encrypt the actual message content (name, email, etc.). It then uses the Swarm agent's public RSA key to encrypt the AES key itself. This is like putting the message in a locked box (AES) and then putting the key to that box inside a separate, virtually uncrackable safe (RSA) that only the designated agent can open. backend php code: 



$outbox_path= '/path/to/some/php/dropzone/'

$pubkey = '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyXVSidkhFHOLFngvx/mL
XIMDCZ979ZCk/GJ2b0GRtutO21qEFKYypDDBBL5CJj6Yq/SPa5MV/rVmA0aUpRRV
NAMXDln3DL8ff22Pb24MdpJDzbzoufWyKyPIkkcZE2wU8gzskBx1i3ARdwugBo33
Ukbr7PYpD9EZk1nHY7chRuY1RHSlRDm0JQUPnWtSox5Seb3tqrpAgyNotvOVEBUA
dQ7Ysp6Nj5YHWYKpiGxSQgu+WyhCS/NXX5AFWCCNC+liJ1NGav5nWeCsGqKmVGIJ
birHt+KSvqrIOPeMi0fBzYOVPJwx1HqB8JNWPBJ0E3n7aZMjENq86unJD/meBTam
WQIDAQAB
-----END PUBLIC KEY-----',


#convert fields: the vars on the left are what contact_reflex expects; make sure you sanitize and validate form vars on right
$mmsg['site'] = 'matrixswarm.com';
$mmsg['subject'] = $msg['sending_email_subject'];
$mmsg['name'] = $msg['sending_email_sender_name'];
$mmsg['email']=$msg['sending_email_sender_email'];
$mmsg['message'] = $msg['sending_email_message'];
$mmsg['sender_ip'] = $msg['sending_sender_ip'];


// 1. Generate random AES-256 key and nonce
$aes_key = openssl_random_pseudo_bytes(32);
$nonce = openssl_random_pseudo_bytes(12);

// 2. Build the payload
$plaintext = json_encode($msg, JSON_UNESCAPED_UNICODE);

// 3. Encrypt with AES-GCM
$ciphertext = '';
$tag = '';
if (!openssl_encrypt(
    $plaintext, 'aes-256-gcm', $aes_key,
    OPENSSL_RAW_DATA, $nonce, $tag, '', 16
)) {
    throw new \Exception("AES encryption failed.");
} else {
    $ciphertext = openssl_encrypt(
        $plaintext, 'aes-256-gcm', $aes_key,
        OPENSSL_RAW_DATA, $nonce, $tag, '', 16
    );
}

$pubkey_pem = str_replace("\\n", "\n", $pubkey_pem);

// 4. Encrypt AES key with pubkey (RSA/OAEP)
$rsa_ok = openssl_public_encrypt($aes_key, $encrypted_key, $pubkey_pem, OPENSSL_PKCS1_OAEP_PADDING);

if (!$rsa_ok) {
    while ($msg = openssl_error_string()) {
        error_log("OpenSSL error: " . $msg);
    }
    throw new \Exception("RSA encryption failed.");
}

// 5. Build blob
$blob = [
    'meta' => [
        'encrypted_key' => base64_encode($encrypted_key),
        'nonce' => base64_encode($nonce),
        'tag' => base64_encode($tag),
        'timestamp' => time(),
    ],
    'data' => base64_encode($ciphertext),
];

// 6. Drop the file
$fname = "contactmsg_" . date('Ymd_His') . "_" . bin2hex(random_bytes(4)) . ".json";
$fpath = rtrim($outbox_path, "/\\") . "/" . $fname;
file_put_contents($fpath, json_encode($blob, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));

Step 3: The Encrypted File is Dropped

The PHP script bundles the encrypted message, the encrypted AES key, and some metadata into a single .json file. This file is then saved to a specific "outbox" directory on the server that the Swarm is monitoring. 



cat /path/to/some/php/dropzone/contactmsg_20250728_142130_bb87899a0.json
{
    "meta": {
        "encrypted_key": "IPDPl6LYld6OPUvg8VSdGA4sCIT8pFKksGfSRg93tf9xAmYi+Rm5NEBoltdpmQV+N0P6Uny8MJ/xruMtJ0MVrXMzfSFiwX2J2uAeT4j34vE0SLtEqULqEi3LxaRf+o5ZW40/kG9bldz0aWgNDVFyh5kCIizEwAknJQ79mQO9q1aE8XxKOajQrxRwmBlCu/vnf9g9mJwiKOZcvxjZDgK8YC9CO/QnTNcdCYmIKrU+4JhRTm5AQNuk6miHydHGoHsQ1vliQpXZJ1fu+FwlA4aOEHqucd4U8fEYd2X+1ZX0r+LfQErTKXJbTuqcj6LD9pgX5zjUawM3HI/xtWUQjCpoSw==",
        "nonce": "uiQd3DWXsOGtEgc3",
        "tag": "LSvpD8ULmNKLtHwHL8y99g==",
        "timestamp": 1753726890
    },
    "data": "VQf9KsVI7zHqMKMvOySkMUYjCpigTrWg/VLVAyo2ulJEK0rgIrbICvXKNQSR9CKsCeNGkq497alYqk5l+Rqy9XFeOyZGaof05pyqKb5wuVXQi81Q/R8ear3SafeNk7pAG+kz7k+YeYCsHJu1g//G7urHE5l0764thKd99g0cKa4gi4EWc4l6dMAK/6WIFdsFqK3f5RLanMwGuD54E2tliLHZ3CU="
}

Step 4: The contact_reflex Agent Detects the File

The contact_reflex agent within the MatrixSwarm is constantly watching the outbox directory. Using the efficient inotify service on Linux, it instantly detects when the new .json file is created.

Step 5: The Agent Decrypts and Validates

The agent begins the decryption process in reverse: It uses its private RSA key to "unlock the safe" and retrieve the one-time AES key. It then uses that AES key to "unlock the box" and decrypt the original message. The decrypted message is then passed to an oracle agent for AI-powered spam classification.

Step 6: The Operator is Notified

If the message is determined to be legitimate, the contact_reflex agent formats it into a human-readable notification. This notification is then securely passed to another agent, like a discord_relay or telegram_relay, which delivers the final message to you and your team.

Comments 0

Category: use cases & examples

Tags: #contact-form, #rsa, #aes-gcm, #php-integration, #use-case, #workflow, #end-to-end-encryption, #secure-ingress, #external-communication, #contact-reflex

Author: matrixswarm

Views: 15

Added: July 28, 2025

Updated: July 28, 2025

Hello again!

We missed you - welcome home

Forgot password?
No account? Sign up

Flag Content