Keep your Drupal Site Secure: Managing All Keys Safely and Easily with the Key Module

“Where did I put the key?” — you might ask yourself this when searching for your house or car keys, and the same can happen on a Drupal site. Almost all modern websites rely on keys for integrations with other services, secure authentication, and sensitive data protection. They can be used by anyone — a developer wiring up a complex integration or a marketer adding credentials from a user-friendly service like Mailchimp.

On real-world websites, the approach to handling keys can be a bit chaotic: one can be saved in a specific module’s admin interface, another in a server file, and a third in an environment variable. How to make sure they are managed with consistency, care, and utmost safety?

The Key module comes to the rescue by offering a centralized, secure place for managing all of your website’s keys. The module deserves to be an essential part of your Drupal website’s security strategy. Besides keeping your site secure, it helps your team work faster and with less hassle. Let’s take a closer look at how this module works in Drupal.

What are keys in Drupal, and what are they used for?

Keys are essentially short strings of characters that allow a website to access a service, perform a secure action, or encrypt/decrypt data. They are like passwords, but usually much longer and impossible to guess. The most common use cases for them in Drupal are as follows:

Connecting third-party services. Many modules need credentials to work with services like Mailchimp, AWS, OpenAI, PayPal, Stripe, Authorize.net, UPS, and more. API keys, OAuth tokens, or cloud storage secrets let your Drupal site communicate securely with these services.
Data encryption inside Drupal. Modules like Encrypt or Field Encryption use encryption keys to protect sensitive user data.
Authentication and security modules. Some modules require keys to validate requests or sign the data.

The main features of the Key module in Drupal

The Key module is like a vault inside Drupal where you can efficiently and safely manage all of your Drupal website’s keys, thanks to the following features.

A user-friendly administration page

The module offers an administrative interface to add, edit, and delete keys and define where they should be stored.

Multiple key storage options

You can choose where to store credentials depending on your needs and security requirements: in configuration, in a file, in environment variables on the server, or via a third-party key management system. We’ll discuss this in more detail further in the article.

Compliance and security

By enabling more secure key storage, the module helps sites meet regulatory or compliance requirements related to data security.

A reliable ally for many modules

Any modules that need keys for work can rely on the Key module, so there’s no need for scattering credentials across configurations.

Overriding configuration values

The module lets you replace some sensitive settings with a secure key, which Drupal will use instead of the plain value. The actual value won’t be exposed in your site’s files or database.

How to use the Key module in Drupal

The settings page of the Key module

With the module installed on your website, you’ll find its settings page at Configuration > System > Keys. You’ll see the list of all keys that are used on your website. You can use the “Add Key” button to add a new key or click “Edit” to edit an existing one (although you’ll see a rightful warning that this must be done with extreme care).

*The administration page for managing keys on a Drupal website*

The main settings for a key

Let’s walk through the main key settings — though in many cases you won’t need to configure them manually, as this may depend on your use case and any additional modules in play.

1. Key name and description

This is where you can give your key a name that will help you identify it in your admin interface and, optionally, provide a description.

2. Key type

This is what the key is used for: authentication, encryption, user passwords, and so on.

3. Key provider (where it should be stored)

Configuration (development only). Storing keys in your Drupal database is convenient for testing and development, but not ideal for production.
File (better). You can also store them in a file, ideally outside the web-accessible file directoriesarea, so they aren’t publicly visible.
Environment (better). Keys can live in environment variables on the server, which keeps them separate from the site code.
External (best). For maximum security, keys can be managed using a dedicated service (like AWS KMS, HashiCorp Vault, or Azure Key Vault). You will only find this option in the dropdown if you use an additional contributed module or custom plugin that integrates the service.

4. Key value

It’s either the actual value of your secret key or the instructions for Drupal as to where to find it. We’ll discuss this in more detail in the section with examples.

*The settings for a key on a Drupal website*

Use case #1: third-party integrations (Mailchimp, OpenAI, and so on)

When you integrate a third-party service, you usually start by installing a specific Drupal module that handles the connection. Many of these modules support the Key module and rely on it for key storage. Quite a few modules make the Key module a strict dependency, so you can’t even proceed without installing it. Even when it isn’t strictly required, using Key is the safer and cleaner approach. It keeps sensitive data out of random config forms, allowing you to swap or rotate keys without hunting through different UIs.

To proceed with the integration, you need to sign up for the service on their website and get credentials (they can be called “API keys,” “secret keys,” “client secrets,” and so on). You copy the credentials and bring them back into your Drupal site. Most integration modules provide a simple form where you can paste the credentials directly.

*Adding OpenAI credentials to a Drupal site*

As you paste the credentials into the specific integration module’s form, some modules will then create a key automatically for you. You’ll find it at Configuration > System > Keys.

*The settings for an OpenAI key on a Drupal site*

However, this behavior varies between modules. In many cases, you may still need to manually create a key. In our next example, we’ll focus more on the procedure for doing that.

Use case #2: data encryption

Some Drupal modules need strong keys to protect sensitive user data — passwords, personal info, or private files — by making it unreadable to anyone who doesn’t have the right credentials. Modules like Encrypt, Field Encryption, or Encryption rely on the Key module to store these keys safely. You can also choose to use an encryption provider like Amazon Web Services through the Encrypt KMS module.

Setting up data encryption roughly comes down to two main steps:

Creating a Key entity in the Key module.
Creating an Encryption Profile in the Encrypt module.

1. Creating a key

When you store your key safely in the Key module, your encryption module will automatically use it whenever it needs to encrypt or decrypt data.

Head to Configuration > System > Keys > Add key. Under Key Type, select “Encryption.” If you use an external service like KMS, select “KMS key.”

*Specifying the name and the type for a new encryption key in Drupal*

As mentioned earlier, for “Key Provider,” choose “Configuration” if you’re just testing things out. In a real production site, it’s safer to use “File” or “Environment,” so the key isn’t sitting in your database.

One of the most important parts is to add the actual key. You can generate a strong random key yourself using a server command or a secure password generator. Here is how to add it, depending on the “Key Provider” you chose at the previous step:

Configuration: paste the value directly into Drupal.
File: generate/store key file on server, then provide its path.
Environment: set a variable on the server, then reference its name in Drupal.
A service like KMS: paste your KMS key ARN (Amazon Resource Name). Your actual KMS key itself will stay inside AWS.

*Specifying the provider and the value for a new encryption key in Drupal*

2. Creating a profile

Next, you’ll need to create a new encryption profile at Configuration > System > Encryption profiles. Choose the encryption method:

for KMS encryption, select “Amazon KMS”
for local keys, pick another supported algorithm (a common option is AES-256, which is available if a module like Real AES is also installed)

Then attach your newly created key by selecting it from the dropdown.

Creating an encryption profile in Drupal

Permissions for the Key module

Out of the box, only the Administrator is allowed to manage keys. This seems very reasonable for many websites, but based on your workflows, you can entrust these permissions to other roles as well. The permissions can be found at People > Permissions. They include:

administer keys (create, edit, or delete them)
administer key configuration overrides

*Permissions for managing keys in Drupal*

Final thoughts

With the Key module in place, your secrets are no longer scattered. They live in one secure, well-organized control hub. No more guesswork or hidden settings. Echoing our opening question: you’ll always know where you put your key — and your site will run safer, smoother, and smarter.

We love sharing how you can keep your Drupal site secure using best practices like ongoing website maintenance, protection from spam bots, restricting unwanted Drush commands, and more. Drop us a line for a comprehensive strategy that covers all aspects of your website’s safe and seamless journey on the World Wide Web.