Key

Key provides the ability to improve Drupal security by managing sensitive keys such as API and encryption keys, giving site administrators control over how and where keys are stored.

key

61,439 sites

104

drupal.org

gui api utility

security keys api-keys encryption credentials Configuration secrets-management

インストール

Drupal 12, 9, 8 v8.x-1.20

composer require 'drupal/key:8.x-1.20'

Drupal 11 v8.x-1.17

composer require 'drupal/key:8.x-1.17'

概要

Keyモジュールは、Drupalサイト全体で使用される機密キーの一元管理システムを提供します。キーの保存とキーの使用を分離し、管理者がキーの保存方法と保存場所を定義できるようにする一方で、他のモジュールは保存の詳細を知らなくてもキーを取得して使用できます。

Keyは、3種類のプラグインタイプを持つ柔軟なプラグインアーキテクチャを使用しています：Key Types（キーの目的を定義）、Key Providers（キーの保存場所を定義）、Key Inputs（キー値の入力方法を定義）。このアーキテクチャにより、高い設定可能性と拡張性が実現されています。

このモジュールは、Drupal設定、Webルート外のファイル、環境変数、またはDrupalのstateシステムなど、さまざまな場所にキーを保存することをサポートしています。この柔軟性により、サイトは機密データの取り扱いに関する規制やコンプライアンス要件を満たすことができます。

さらに、Keyは設定オーバーライド機能を提供しており、実行時にキー値を任意のDrupal設定項目に注入し、エクスポートされた設定ファイルから機密値を除外することができます。

Features

サイト全体のキーを作成、編集、削除するための管理インターフェースによる一元的なキー管理
拡張可能なKey Types（Authentication、Encryption、User/Password）、Key Providers（Configuration、File、Environment、State）、Key Inputs（Text Field、Textarea、Generate）を備えたプラグインベースのアーキテクチャ
Webルート外のファイルベースストレージ、環境変数、Drupalのstateシステムなど、キーをデータベースから除外するための安全なストレージオプション
実行時にキー値を任意のDrupal設定項目に動的に注入できる設定オーバーライドシステム
JSON形式のユーザー名/パスワードペアなどの複雑なデータを保存するマルチバリューキーのサポート
暗号化キーとバイナリキー値のためのBase64エンコーディングサポート
他のモジュールのフォームにキー選択を簡単に追加できるkey_selectフォーム要素
プログラムによるキー管理のためのkey.repositoryサービスを通じた包括的なAPI
コマンドラインでのキー管理操作のためのDrushコマンド
設定可能なキーサイズによる暗号化キーの自動キー値生成

Use Cases

Securing API credentials for external services

Store API keys for services like PayPal, MailChimp, Authorize.net, or AWS using the File or Environment key provider. Create a key with type 'Authentication', select the appropriate provider, and configure the file path or environment variable name. Other modules can then use the key_select form element to allow administrators to select the key in their configuration forms.

Managing encryption keys for data protection

Create encryption keys for use with the Encrypt module. Choose the 'Encryption' key type and specify the required key size (128 or 256 bits). Use the File provider with a location outside the web root for security. Enable Base64 encoding if needed. The Generate key input can automatically create cryptographically secure random keys.

Storing database credentials for external connections

Use the 'User/password' key type to store credentials for external database connections. The key value will be stored as JSON with 'username' and 'password' fields. Use getKeyValues() to retrieve the credentials as an array.

Overriding sensitive configuration values

Use Key Configuration Overrides to inject key values into any Drupal configuration at runtime. This keeps sensitive values like SMTP passwords out of exported configuration files. Create an override mapping a key to a specific configuration item (e.g., system.mail:password), and enable 'Clear overridden value' to remove the sensitive data from stored configuration.

Environment-specific key management

Use the Environment key provider to retrieve keys from environment variables set in your hosting environment. This is ideal for containerized deployments where secrets are injected via environment variables, or for CI/CD pipelines that manage secrets separately from code.

Adding key selection to custom modules

Use the key_select form element to add key selection capability to your module's forms. The element automatically lists available keys and can be filtered by type, provider, or type group using the #key_filters property. Example: '#type' => 'key_select', '#title' => 'API Key', '#key_filters' => ['type' => 'authentication'].

Tips

Never use the Configuration key provider for production sites - it stores key values in the database and configuration exports
Store encryption key files outside the web root and ensure proper file permissions (readable only by web server user)
Use environment variables for containerized deployments and secrets managed by orchestration platforms
The key_select form element automatically adds a link to create new keys if none are available
Use key configuration overrides to keep SMTP passwords, API secrets, and other sensitive values out of config exports
When using multivalue key types, retrieve values with getKeyValues() which returns an array, or getKeyValue() for the raw JSON
Drush commands are useful for scripting key management in deployment pipelines
Consider creating a dedicated directory for key files with restricted permissions (e.g., /etc/drupal-keys/)

Related Projects

Encrypt

The Encrypt module uses keys with the 'encryption' type group for encrypting and decrypting data. Encryption keys should use the File or Environment provider for security.

Real AES

Real AES encryption method for Encrypt module that uses encryption keys managed by Key module.

Apigee Edge

Uses Key module to securely store Apigee API credentials.

OAuth

Various OAuth modules can use Key to store client secrets and API keys.

Technical Details

Keys /admin/config/system/keys

Main administrative interface for managing site-wide keys. Displays a list of all defined keys showing their name, type, provider, and any configuration overrides using each key. From this page, administrators can add new keys, edit or delete existing keys, and create configuration overrides.

Add key /admin/config/system/keys/add

Form for creating a new key. Allows administrators to define the key name, description, type, provider, and value settings. The form dynamically updates based on selected key type and provider.

Edit key /admin/config/system/keys/manage/{key}

Form for editing an existing key. Shows a warning about the risks of editing keys before allowing changes. Requires confirmation before displaying the edit form.

Delete Key /admin/config/system/keys/manage/{key}/delete

Confirmation form for deleting a key. Warns about potential consequences of key deletion.

Key Configuration Overrides /admin/config/development/configuration/key-overrides

Administrative interface for managing key configuration overrides. These overrides allow key values to be dynamically injected into Drupal configuration items at runtime, keeping sensitive values out of configuration exports.

Add a key configuration override /admin/config/development/configuration/key-overrides/add

Form for creating a new configuration override that injects a key value into a Drupal configuration item.

Administer keys

Create, edit, and delete site-wide keys. This permission grants full access to key management and should be restricted to trusted administrators only.

Administer key configuration overrides

Create and delete key configuration overrides that inject key values into Drupal configuration.

hook_key_provider_info_alter

Allows modules to alter the definitions of Key Provider plugins, enabling customization of provider behavior or swapping provider implementations.

drush key:save

Save (create or update) a key with the specified ID and optional settings.

drush key:delete

Delete a key by its ID. Prompts for confirmation before deletion.

drush key:list

Display a list of all available keys with their types and providers.

drush key:type-list

Display a list of available key type plugins.

drush key:provider-list

Display a list of available key provider plugins.

drush key:value-get

Retrieve and display the value of a key. Use with caution as this exposes the key value.

Key value is empty or NULL when retrieved

Verify the key provider settings are correct. For File provider, check that the file exists and is readable by the web server. For Environment provider, ensure the environment variable is set in the context where PHP runs. For State provider, verify the state variable exists using drush state:get.

Configuration override not working

Ensure the key configuration override is correctly configured with the right configuration type, name, and item. Clear the Drupal cache after creating overrides. Check that the key itself has a valid value. Note that overrides won't show in config exports or the config sync interface.

Cannot edit or delete a key

Editing keys displays a warning and requires confirmation due to potential impacts on dependent functionality. If a key is used by other modules, consider the implications before modifying. The Key module doesn't prevent deletion of keys in use - coordinate with any dependent modules first.

File key provider validation fails

The file must exist and be readable at the time the key is saved. Verify the file path is correct (absolute path, relative to Drupal root, or valid stream wrapper). Check file permissions allow the web server user to read the file.

Generated encryption key is not displayed

For security, generated key values are only displayed once when 'Display value' is checked during key creation. If you miss it, you'll need to delete the key and create a new one, or retrieve it using drush key:value-get with the --base64 option.

Key values stored with the Configuration provider are visible in the database, configuration exports, and the admin UI - use only for development
The File and Environment providers keep key values out of the database, improving security
Key configuration overrides remove sensitive values from configuration exports but the override mappings themselves are still exported
Users with 'administer keys' permission can view Configuration-stored key values and create keys that could affect site security
Encryption keys should use secure random generation (provided by the Generate input) rather than human-chosen values
Consider file system security when using the File provider - ensure key files are not accessible via web server misconfiguration
Environment variables may be logged or exposed in process listings - understand your hosting environment's security model