Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Credential mask

21 sites Security covered
View on drupal.org

This module prevents sensitive configuration values like API keys from being accidentally committed to your source code. It integrates with Drupal's configuration system to mask these values during export and protect them during import.

Security lead

Whatever you do, don't let this API key get committed!

Developer

  drush config:export

Developer

Uh-oh…

Description

Best practice is to export your configuration and commit it to your source-code repository.
Best practice is also to avoid committing API keys, secrets, etc.

The credential mask module integrates with the configuration management API and ensures that the configuration keys marked as "sensitive" are not exported, and when configuration is imported, the unmasked configuration is not overridden.

Operation

Sensitive items can be managed either:

  1. via Drush
  2. via /admin/config/development/configuration/credential_mask (for users with the "import configuration" permission

Drush Commands

  • credential_mask:add
    Mark a config key as sensitive.
  • credential_mask:del
    Remove a config key from the list of masked credentials.
  • credential_mask:list
    List all active configuration properties identified as sensitive.
  • credential_mask:show-configuration
    Show the configuration names and properties currently marked as sensitive.

Version requirements

  • Drupal core 8.8 or greater
  • Drush 10 or greater.

Similar modules

Other modules in the configuration-management ecosystem, such as Config split and Config filter may provide similar behaviour, or tools to achieve a similar outcome.

Activity

Total releases
4
First release
Oct 2025
Latest release
5 months ago
Releases (12 mo)
4 ▲ from 0
Maintenance
Active

Release Timeline

Releases

Version Type Release date
1.0.0 Stable Feb 17, 2026
1.0.0-alpha3 Pre-release Jan 6, 2026
1.0.0-alpha2 Pre-release Dec 1, 2025
1.0.0-alpha1 Pre-release Oct 9, 2025