_credhub-cloudform.html.md.erb

1. Select **Credhub**. 
	![Credhub](credhub.png)
1. Choose the location of your CredHub Database. PAS includes this CredHub database for services to store their service instance credentials. 
	1. If you chose **External**, enter the following:
		* **Hostname**: The IP address of your database server.  This is the value from the `PcfRdsAddress` key in the AWS output. 
		* **TCP Port**: The port of your database server. This is the value from the `PcfRdsPort` key in the AWS output.. 
		* **Username**: The value from the `PcfRdsUsername` key in the AWS output.
		* **Password**: The value from the `PcfRdsPassword` key in the AWS output. 
		* **Database CA Certificate**: Enter a certificate to use for encrypting traffic to and from the database. 
1. Under **Encryption Keys**, specify a key to use for encrypting and decrypting the values stored in the CredHub database.
	* **Name**: Enter the name of the key.
	* **Key**: Enter a key that is at least 20 characters in length. 
	* **Primary**: Select this checkbox to use this key as your primary key. 
		<p class="note"><strong>Note</strong>: Ensure that you only mark one key as <b>Primary</b>. The UI includes an <b>Add</b> button to add more keys to support key rotation. For more information, see the [Rotating Runtime CredHub Encryption Keys](../opsguide/credential-rotation.html) topic.
</p>
1. If your deployment uses any PCF services that support storing service instance credentials in CredHub and you want to enable this feature, select the **Secure Service Instance Credentials** checkbox. 
1. Select the **Resource Config** pane.
1. Under the **Job** column of the **CredHub** row, set the number of instances to `2`. This is the minimum instance count required for high availability.

<p class="note"><strong>Note</strong>: To use the runtime CredHub feature, you must follow the additional steps in <a href="../opsguide/secure-si-creds.html">Securing Service Instance Credentials with Runtime CredHub</a>.</p>