This is fine, since he is not only sending him this key via mail, but also the door including the lock with a full clone. If he makes sure that he doesn't have a door with the same lock at home (i.e. he sends the image, but doesn't use it himself afterwards), there is nothing to worry about (as long as your fried trusts you, of course).
Sending the Pi as hardware to you, so you can set it up and sending it back, might be much easier and less errorprone. Also, he could simply set up a strong password for SSH and forward the port for you, so you can log in on his Pi and do the work. Or use a remote desktop controlling software as @deHakkelaar recommended. I myself would never do that, but opinion (and the "personal threat level" 
) differ