Skip to main content

CredHub

CredHub is a credential management component (security, secrets management) in the Cloud Foundry ecosystem that stores, generates, and retrieves credentials securely for platforms and applications.

  • Centralized storage and lifecycle management for credentials, keys, and certificates (secrets management, Public Key Infrastructure (PKI))
  • Secure credential generation, rotation, and regeneration workflows (security automation)
  • Access via RESTful Application Programming Interface (API) for platforms, operators, and automation tools (API-based integration)
  • Encryption of credentials at rest with pluggable encryption providers and Hardware Security Module (HSM) support (data protection)
  • Tight integration with Cloud Foundry platform components and BOSH deployments (platform security)

More About CredHub

CredHub is a credential management service (security, secrets management) designed to provide secure storage, access, and lifecycle control for credentials, keys, and certificates used by Cloud Foundry platforms, deployed applications, and automation systems. It addresses the problem of distributing and managing secrets across distributed infrastructure by centralizing control behind a policy-driven API.

At its core, CredHub offers an API for creating, retrieving, updating, and deleting credentials, including passwords, certificates, Secure Shell (SSH) keys, Runtime Security Agent (RSA) keys, and other secret values (secrets management, PKI). It supports credential generation functions that allow operators and automation pipelines to request strong, randomly generated secrets according to defined parameters. CredHub also supports credential rotation and regeneration workflows (security automation), enabling operators to replace credentials without manual secret handling or direct file-based distribution.

The service encrypts all stored credential values at rest (data protection) and relies on configurable encryption providers, which can include software-based keys or hardware security modules (HSMs) when available. This design allows enterprises to align CredHub with internal cryptographic policies and key management practices. Encryption keys used by CredHub can be rotated, and the system can re-encrypt stored credentials under new keys.

CredHub is integrated with Cloud Foundry components and BOSH (platform security, infrastructure automation). BOSH deployments can use CredHub as a source of runtime configuration secrets, removing the need to embed secrets directly into manifests. Cloud Foundry platform services and applications can access CredHub through service accounts and role-based permissions, enabling Separation of Duties (SoD) between application teams and platform operators.

The CredHub API is REST-based and secured with OAuth2 and UAA (identity and access management) for authentication and authorization. This allows integration with existing enterprise identity providers through UAA’s federation capabilities, and enables fine-grained control over which clients or operators can access specific credential paths.

In enterprise environments, CredHub functions as a centralized secrets service within the broader Cloud Foundry architecture (platform security, secrets management). It supports compliance-focused operations by enabling audit-friendly handling of credentials, consistent policy enforcement, and automated rotation. Its design positions it in a taxonomy alongside other enterprise secrets management tools, but optimized for Cloud Foundry and BOSH-based infrastructures and workflows.