_bosh-runtime-credhub.html.md.erb

## <a name="pcfcredhub"></a>CredHub in PCF

A PCF deployment stores credentials in the following locations:

* **BOSH CredHub**: Colocated with the BOSH Director on a single VM. This CredHub instance stores credentials for the BOSH Director.
* **Runtime CredHub**: Deployed as an independent service and stores service instance credentials.

### <a name="bosh"></a>BOSH CredHub

In PCF, BOSH Director VM includes a CredHub job.
This provides a lightweight credential storage instance for the BOSH Director. The BOSH Director, Pivotal Application Service (PAS), and other tiles store credentials in BOSH CredHub. For more information, see [Retrieving Credentials from Your Deployment](../customizing/credentials.html#credhub). 

<p class="note"><strong>Note</strong>: This configuration does not provide high availability.</p>

In this colocated deployment architecture, the BOSH Director, CredHub, UAA, and the Director database are all installed on a single BOSH VM, as shown in the following diagram:

![Diagram that show the following components colocated on the BOSH VM: BOSH Director, CredHub, UAA, and the Director database](images/bosh-deployment.png) 

### <a name="runtime"></a>Runtime CredHub

The PAS tile deploys CredHub as an independent service on its own VM.
This provides a highly available credential storage instance for securing service instance credentials. For more information, see [Securing Service Instance Credentials with Runtime CredHub](../opsguide/secure-si-creds.html).

CredHub is a stateless application, so you can scale it to multiple instances that share a common database cluster and encryption provider.

With CredHub as a service, the load balancer and external databases communicate directly with the CredHub VMs, as shown in the following diagram:

![Diagram that shows multiple CredHub VMs that connect to UAA, an HSM, an external database, and a load balancer. The load balancer connects to four consumer VMs.](images/service-deployment.png)

## <a id='store-creds'></a> Using CredHub to Store Credentials for Service Tiles

If you develop a service tile for PCF and want to store its credentials in BOSH CredHub, see the [CredHub](https://docs.pivotal.io/tiledev/credhub.html) section of the _Tile Developer Guide_.