← All terms
Keys

Construction Master Key (CMK)

A temporary master key used during construction or fit-out that's invalidated at handover, leaving the operational TMK uncompromised.

A Construction Master Key (CMK) is a temporary master key issued for the construction or fit-out phase of a building. It opens every cylinder in the system, just like the operational TMK, but is mechanically invalidated when the building owner takes possession — usually by inserting and turning the operational change key, which displaces a sacrificial pin and removes the CMK shear line.

The point is to let trades (electricians, plumbers, elevator techs, fit-out crews) move freely through the building during construction without exposing the customer’s permanent TMK to dozens of subcontractors. When the project is signed off, the CMK becomes useless without anyone needing to call back the issued copies.

The problem the CMK solves

Imagine you’re delivering a master key system for a new 30-floor commercial tower. The customer wants the operational TMK held by the building manager and only the building manager. Now consider the people who need access to the building during construction:

  • 12 electricians from three different companies
  • A plumbing crew of 6
  • The lift technicians (typically 4–6 people)
  • HVAC commissioning staff
  • The fit-out builder’s site manager and 8 crew
  • Painters
  • The cleaners doing the pre-handover sweep
  • The customer’s own facilities team doing inspections

That’s 40+ people who need master-level access for 12 weeks. Issuing them all the operational TMK would mean 40 copies of the highest-value key in the system are floating around contractor van consoles. Some get lost. Some get duplicated by contractors at the end of their phase as a backup. By handover the customer’s permanent TMK is functionally compromised before they’ve even moved in.

The CMK solves this by giving every contractor a temporary master that does the same job, with the explicit understanding that the day the customer takes possession, every CMK becomes useless. The locksmith doesn’t need to recover the issued CMKs — they self-invalidate when the operational keys are first used.

How invalidation works mechanically

Most CMK systems use a break-out pin (also called a construction pin) in each chamber. While the break-out pin is in place, the chamber has two valid shear-line splits — one for the CMK depth and one for the operational depth.

When the operational change key (or operational master) is first used, the break-out pin falls into a relief in the cylinder body and stays there. The chamber now has only one valid split — the operational one. The CMK shear line is gone. Any CMK presented to the cylinder afterwards lifts the bottom pin to a depth that no longer corresponds to a clean shear line, and the cylinder doesn’t rotate.

Once the break-out pins fall, the cylinder cannot be returned to CMK operation without re-pinning. There’s no software switch, no key sequence — the invalidation is physical and permanent. This is the feature, not a bug.

When you actually need a CMK

Not every job needs a CMK. The trade-off is real: deriving and tracking a CMK adds design and admin overhead, and the construction pins add a little to the per-cylinder pinning cost.

CMK makes sense when:

  • More than 5–10 contractors will need master access. Below that, just issue them change keys for the doors they need.
  • Construction lasts more than a few weeks. For a one-week fit-out, the convenience of skipping CMK setup outweighs the security risk.
  • The customer’s TMK is genuinely high-value. Restricted-keyway systems, government work, multi-tenant commercial — anywhere the TMK belongs to one or two named people forever.
  • You’re building speculative. A developer fitting out a tower for unknown future tenants needs to walk every door for inspections without committing to the eventual TMK design.

CMK doesn’t make sense when:

  • The system is residential MK (the homeowner is the GC).
  • The “construction phase” is one electrician for one afternoon.
  • The customer’s TMK security model already assumes wide circulation.

Deriving a CMK that doesn’t compromise the TMK

The whole point of CMK is to leave the operational TMK secure. That means the CMK and the TMK must share zero pin elevations across the system — no change key in the system should ever accidentally lift to a CMK split, or vice versa, except the construction pins explicitly designed to.

A naive CMK derivation — “just pick another bitting and add a master pin everywhere” — fails this test. If your CMK happens to share a depth with the TMK in chamber 4, then any change key whose alternate split lands at the CMK depth in that chamber gets cross-access between the two key systems. The CMK doesn’t fully invalidate; the TMK isn’t fully isolated.

Keyzee derives the CMK during the survey stage by:

  1. Allocating the operational TMK first using the Rotating Constant Method.
  2. Choosing a CMK bitting that shares no constant position with the TMK. Where the TMK has its constant at chamber 1, the CMK has its constant at chamber 4 (or wherever the optimiser finds the cleanest seat).
  3. Sizing the construction pins so that the CMK shear line is unambiguously above or below all operational shear lines, and there are no overlapping splits.
  4. Running phantom scan with both shear lines active — once for CMK + operational keys, once for operational keys alone (post-invalidation). The system has to be phantom-safe in both states.

It’s the second pass — phantom-safe post-invalidation — that’s most often missed. A CMK system can be perfectly secure while the construction pins are in place, and develop new phantoms once they fall out, because the chamber stack height changes by the construction pin size and the math shifts.

Key custody and audit

Even though CMKs invalidate at handover, they’re still tracked. Best practice is:

  • Per-contractor CMK issuance. Don’t hand the same CMK to two contractors; each gets their own copy with a stamp linking it to the contractor name.
  • Issue log in the key register. Date issued, contractor name, expected return date.
  • Recovery acknowledgement. The contractor signs back the CMK at end of phase. (You’ll get most back; the rest invalidate at handover anyway.)
  • CMK handover record — separate from the operational handover record, listing every CMK issued and when. The customer sees this at takeover and signs off.

Keyzee generates the CMK handover record automatically alongside the operational one — both ship as PDFs from the system page.

At handover

The day the customer takes possession, the locksmith (or the customer themselves with appropriate guidance) inserts the operational change key into every cylinder once and turns it. That single rotation drops every break-out pin in the system. Once it’s done across all cylinders, the CMK is dead.

This step matters. If even one cylinder doesn’t get the operational-key insertion, the CMK keeps working on that cylinder. A 30-floor building has hundreds of cylinders; missing five at handover is easy. The locksmith should walk every door at handover with both keys — operational change key for the test, CMK for the validation that it no longer works.

A clean handover ends with: every cylinder accepts the operational change keys (and their master), no cylinder accepts the CMK. The operational handover record is signed; the CMK handover record is closed out.

TMK — the permanent master key the CMK protects → Master pin — the mechanism the construction pin extends → Rotating Constant Method — the allocation method Keyzee uses for both CMK and TMK

Related terms

Top Master Key (TMK)

The single key at the top of a master key hierarchy that opens every cylinder in the system.

Master pin

An extra pin between the bottom pin and the driver pin that creates a second valid shear-line split, allowing two keys to open the same cylinder.

Rotating Constant Method (RCM)

An allocation pattern where each change key shares one position at TMK depth — the constant — and the constant rotates across keys, reducing phantom count.
← Back to glossary See the engine →

See it in the engine.
30 days, no card.

Every term in this glossary maps to something Keyzee actually does. Open the app and watch the math run.

Start 30-day free trial See pricing
Setup in 60 seconds Sample project included Cancel anytime