_credhub-encryption.html.md.erb

For **CredHub Encryption Provider**, you can choose whether  BOSH CredHub stores its encryption key internally on the BOSH Director and CredHub VM, or in an external hardware security module (HSM). The HSM option is more secure. Before configuring an HSM encryption provider in the **Director Config** pane, you must follow the procedures and collect information as described in [Preparing CredHub HSMs for Configuration](hsm-config.html). <p class="note"><strong>Note: </strong>After you deploy Ops Manager with an HSM encryption provider, you cannot change BOSH CredHub to store encryption keys internally.</p>![CredHub Encryption Provider options in the Director Config pane](images/credhub-hsm.png)
  * **Internal:** Select this option for internal CredHub key storage. This option is selected by default and requires no additional configuration.
  * **Luna HSM:** Select this option to use a SafeNet Luna HSM as your permanent CredHub encryption provider, and fill in the following fields:
		1. **Encryption Key Name**: Any name to identify the key that the HSM uses to encrypt and decrypt the CredHub data. Changing this key name after you deploy Ops Manager could cause service downtime.
		1. **Provider Partition**: The partition that stores your encryption key. Changing this partition after you deploy Ops Manager could cause service downtime. For this value and the ones below, use values gathered from [Preparing CredHub HSMs for Configuration](hsm-config.html).
		1. **Provider Partition Password**
		1. **Provider Client Certificate**: The certificate that validates the identity of the HSM when CredHub connects as a client.
		1. **Provider Client Certificate Private Key**
		1. **HSM Host Address**
		1. **HSM Port Address**: If you don't know your port address, enter `1792`.
		1. **Partition Serial Number**
		1. **HSM Certificate**: The certificate that the HSM presents to CredHub to establish a two-way mTLS connection.