CredHub and The Road to Credential Rotation

July 17, 2018 Brian McClain

There’s a common culprit behind many IT breaches: stale credentials.

A bad actor will often get a hold of usernames, passwords, and other “secrets.” From there, hacking enterprise systems is a relative breeze.

As Pivotal Chief Security Officer Justin Smith points out, credentials are often long-lived, meaning in the event of a credential leak, attackers could have prolonged access to your environment. Even if the credentials aren’t used for an initial point of entry, they could be used to expand what attackers have access to once inside your environment. So how can you reduce the value of credentials? With rapid, frequent rotation.

Clearly, a robust security posture in 2018 needs to include some mitigation of the threat posed by leaked credentials.

Enter CredHub, which generates, stores and manages the lifecycle of credentials in Cloud Foundry. From cradle to grave, CredHub is the centralized solution for all secrets in Cloud Foundry. While CredHub has existed within PCF since v1.11, it continues protect more and more secrets in the platform with each and every release (see Table 1 for a rundown of the most recent feature releases.) We wanted to take a look at the ways Credhub is already helping improve PCF, and even a couple of things to look for in the future.



PCF 1.11

CredHub co-located on the BOSH Director VM.

PCF 1.12

Migration of Internal Credentials to CredHub

PCF 2.1

Configure an External CredHub Encryption Provider

PCF 2.1

Runtime CredHub Can Use HSMs

PCF 2.2

Ops Manager Credentials Stored in CredHub

MySQL v2.3.0

Operators can store service credentials in runtime CredHub

RabbitMQ for PCF v1.12.3

Beta support for secure credentials in CredHub

Spring Cloud Services v1.5.0

Spring Cloud Services service broker and worker apps now can use the Runtime CredHub to store service instance credentials

CredHub Service Broker 1.0

Provides secure access to service credentials for services that are not running on Pivotal Application Service

Table 1: The latest CredHub feature releases for Pivotal Cloud Foundry and related services.

First, operators that are familiar with BOSH manifests may have noticed a very important change with v262: sensitive credentials from the manifest have been replaced with variables. In many cases, operators never see these passwords. Instead, passwords and certificates are generated, encrypted, and stored by CredHub at deployment time. The BOSH Director then communicates with CredHub as needed to provide these credentials to new or existing deployments.

Variables can be parameterized and generated at deployment time

Many service tiles now work with CredHub as well, including MySQL, RabbitMQ and Spring Cloud Services. For tile developers, there’s already great documentation on how you can update your tile to take advantage of all that CredHub has to offer. Once updated, all service bindings will provide their credentials to applications via CredHub. Make sure to keep an eye on future PCF releases to see more and more services integrating with CredHub.

Finally, last month we extended the power and security of CredHub to operators and developers alike with the addition of the CredHub Service Broker. This service broker provides an easy and secure way for apps running on the Pivotal Application Service (PAS) to read credentials from CredHub and offers an alternative to user-provided services. Instead of storing sensitive data in the Cloud Controller database and being made available to applications as plaintext metadata, the CredHub Service Broker stores them in CredHub, only making them available to application containers with authorized access. To ensure the identity is correct, every application container in PAS includes a signed certificate and key, which is used to communicate with CredHub and provide its identity. Be sure to check out two great blogs by our own Colin Jackson on how developers can use CredHub as well as a great look on how CredHub provides credentials to applications.

Creating a new set of credentials in the CredHub Service Broker is as simple as a single command-line call:

cf create-service credhub default my-credhub -c '{"my-cred": "my value"}'

When the service is bound to the application, the credentials are made available just as any other set of service credentials in PAS. However, only the application instances bound to the service have access. Any operation from outside of the application simply sees a reference to the credential:

➜  ~ cf env my-app

Getting env variables for app my-app in org dev / space dev as admin...





 "credhub": [


   "binding_name": null,

   "credentials": {

    "credhub-ref": "/credhub-service-broker/credhub/92896866-dec7-4655-ba30-dbb06c8f8709/credentials"


"instance_name": "my-credhub",

"label": "credhub",

"name": "my-credhub",

"plan": "default",



The Road to Credential Rotation

With each release, CredHub continues to expand its reach across PCF, truly embracing security by default. That’s not to say that security doesn’t continue to be something that should be at the front of everyone’s mind, but rather provides the means to improve and adapt to new enterprise security best practices. With the building blocks of the Three R’s, it’s easy to see just how important a solution like CredHub is in helping mitigate modern threats. Make sure to watch for new releases of CredHub, PCF and your favorite services to see the latest CredHub integrations!

Learn about enterprise security at the cloud event of the year: SpringOne Platform, Sept 24-27 in Washington, DC. Register now!

About the Author

Brian McClain

Brian is a Principal Product Marketing Manager on the Technical Marketing team at Pivotal, with a focus on technical educational content for Pivotal customers as well as the open source communities. Prior to Pivotal, Brian worked on both the development and operations of software, with a heavy focus on Cloud Foundry and BOSH at companies in many industries including finance, entertainment and technology. He loves learning and experimenting with new technologies, and more importantly sharing the lessons learned along the way

Follow on Twitter Follow on Linkedin More Content by Brian McClain
How and Why to Classify Problems in User Interviews
How and Why to Classify Problems in User Interviews

Measure Intensity, Frequency, and RecencyAs a product team, how do you know which problem to solve? This qu...

So, You Want to Build a “Silicon Valley-like” Software Developer Culture? Focus on the People.
So, You Want to Build a “Silicon Valley-like” Software Developer Culture? Focus on the People.

The ongoing race to reinvent enterprise IT’s identity as a modern software development shop.A few years ago...

SpringOne at VMware Explore 2023

Learn More