Restricted keyways, electronic key cabinets, and cloud-based key management platforms that give auditable control over every key copy made.
Key control is the set of systems and policies that determine who can obtain a copy of a key. The three main tools are: restricted keyways (prevent unauthorized duplication at the hardware level), electronic key cabinets (track physical key possession with audit logs), and cloud-based key management platforms (connect key issuance to HR, access policies, and incident response). Most commercial properties need at least one of these; high-security environments typically use all three in combination.
A restricted keyway is a proprietary key profile registered to a specific keyholder organization. Hardware stores cannot cut copies because they do not stock the key blank. Even locksmiths who do carry the blank cannot cut new keys without verifying the requester is authorized under the registered account.
The restriction is enforced through the manufacturer's dealer network. When a new key is needed, the authorized representative contacts the registered dealer with proof of authorization. The dealer logs the request and cuts the key. This creates an auditable record of every copy in existence.
An electronic key cabinet is a wall-mounted unit with individual locking hooks for physical keys. Each hook is locked and only releases when the user authenticates (PIN, card, or biometric). Every key removal and return is logged with a timestamp and user ID.
Electronic key cabinets are the appropriate solution when:
Leading brands include Morse Watchmans (KeyWatcher), Traka, and Kantech. Systems are available in 12-key to 200-key configurations. Integration with HR systems allows automatic credential changes when an employee is onboarded or offboarded.
Cloud-based key management systems provide a software layer that connects physical key issuance with HR records, access policies, and incident response workflows. Features typically include:
Notable platforms include Keysafe (US-focused property management), KeyTrak (US-focused commercial and healthcare), and Keynest (UK-focused short-term rental). Most charge on a per-property or per-user SaaS basis, typically $40 to $200 per month depending on portfolio size.
The right combination of key control tools depends on your security requirements, budget, and the number of key-access events per year.
Small office (1–10 staff, 1 location): Restricted keyway for any master key level; standard key log (spreadsheet or paper) for change keys. Electronic cabinet is optional.
Mid-size commercial property (10–50 access points): Restricted keyway throughout; electronic key cabinet for shared keys (fleet, equipment, master); basic property management integration.
Large campus or multi-site portfolio (50+ access points, multiple properties): Restricted keyway system with master key hierarchy; electronic key cabinet at each site; cloud platform for cross-site audit and HR integration.
A restricted keyway is a proprietary key profile that hardware stores and most locksmiths cannot duplicate without specific authorization from the registered keyholder. The manufacturer maintains a registry of authorized dealers and requires documented justification before cutting new keys, providing a chain of custody for every copy.
The three most widely supported brands in US commercial applications are Medeco, Mul-T-Lock, and ASSA Abloy Protec2. Medeco and Mul-T-Lock are available through most commercial locksmith networks. ASSA Abloy Protec2 is considered highest security but has a narrower dealer network.
An electronic key cabinet is a wall-mounted unit where each physical key hook is locked and only releases when authenticated. The system logs every removal and return with timestamp and user ID, providing a tamper-evident audit trail. Common brands include KeyWatcher, Traka, and Kantech.
Upgrade triggers: you suspect an unauthorized key copy has been made; you are implementing a master key system; a security audit identified key duplication as a vulnerability; or you manage a high-security area (server room, pharmacy, evidence storage) where access accountability is required.
