Key provides the ability to improve Drupal security by managing sensitive keys (such as API and encryption keys). It gives site administrators the ability to define how and where keys are stored, which allows the option of a high level of security and allows sites to meet regulatory or compliance requirements.

Examples of the types of keys that could be managed with Key are:

  • An API key for connecting to an external service, such as PayPal, MailChimp,, UPS, an SMTP mail server, or Amazon Web Services
  • A key used for encrypting data using the encrypt module

Managing keys

Key provides an administration page where users with the "administer keys" permission can add, edit, and delete keys.

By using key, administrators can choose to store their keys in the following locations:

  • Configuration (development only): The configuration key provider stores the key in Drupal’s database
  • File (Better): The file key provider allows a key to be stored in a file, preferably outside of the webroot where it cannot be publicly accessed.
  • External (Best): Use a key management solution external to Drupal. This allows your site to meet security best practices and compliance requirements. Lockr and Townsend Security’s Alliance Key Manager are currently two options with existing modules, however Key is extensible for any key storage provider.

Overriding Configuration

The Drupal 8 version of Key provides the ability to override any configuration value with a key. This allows site administrators to store configuration values in a more secure method than in the database or in settings.php.

Key configuration overrides can be created at /admin/config/development/configuration/key-overrides/add.

  • Enter a name for the override
  • Select the specific configuration item you wish to override
  • Select an existing key that provides the value to be used; if the key doesn't exist, you'll need to create it
  • Check "Clear overridden value" to clear any existing value for the overridden configuration item; this is important to make sure potentially sensitive data is removed from the configuration; if for some reason, you don't want to clear the value, uncheck this field
  • Click "Save"

Drupal 7 Documentation

Drupal 8 Documentation

Video Tutorial

Supporting organizations: 
Sponsored initial development and ongoing maintenance
Ongoing maintenance

Project information