diff --git a/README.md b/README.md
index 5df0158..1d1f3a7 100644
--- a/README.md
+++ b/README.md
@@ -24,11 +24,11 @@ provisioning and deploying new environments.
 Features
 -------
 
-## `external-postgres`
+## `external-postgres` and `external-postgres-vault`
 
 By default an internal (colocoated job) postgres is deployed for use. Optionally
 you may configure to use an external PostgreSQL database by adding the 
-`external-postgres` feature together with the following in vault (no defaults):
+`external-postgres-vault` feature together with the following in vault (no defaults).
 
 ```
 secret/$env/vault/db:scheme
@@ -39,6 +39,13 @@ secret/$env/vault/db:port
 secret/$env/vault/db:sslmode
 secret/$env/vault/db:database
 ```
+
+Note that when you do a `new` environment you will be prompted for these and 
+they will get stored in vault directly so you do not need to set them separately.
+
+If you are using another system to generate them and stick into vault 
+(ex: terraform) then it will be directly consumed.
+
 You can do this using `safe` in a single command like so:
 ```sh
 safe set secret/dev/ocf-scheduler/db \
@@ -51,6 +58,20 @@ safe set secret/dev/ocf-scheduler/db \
   database="scheduler"
 ```
 
+for the `external-postgres` feature (no `-vault`) you can override defaults 
+using the environment file's params object:
+
+```yaml
+params:
+  pg_scheme:   "..."
+  pg_username: "..."
+  pg_password: "..."
+  pg_hostname: "..."
+  pg_port:     "..."
+  pg_sslmode:  "..."
+  pg_database: "..."
+```
+
 ## `cf-route-registrar`
 
 By enabling the `cf-route-registrar` feature the kit will extrac the CF deployment
diff --git a/hooks/addon b/hooks/addon
index cec7871..c7213fe 100755
--- a/hooks/addon
+++ b/hooks/addon
@@ -25,7 +25,7 @@ EOF
 cf_login() {
   cf_deployment_env="$(exodus cf_deployment_env)"
   cf_deployment_type="$(exodus cf_deployment_type)"
-  cf_exodus="${GENESIS_EXODUS_MOUNT}${cf_deployment_env}/${cf_deployment_type}"
+  cf_exodus_path="${GENESIS_EXODUS_MOUNT}${cf_deployment_env}/${cf_deployment_type}"
   if ! cf plugins | grep -q '^cf-targets'; then
     describe "#Y{The cf-targets plugin does not seem to be installed}"
         echo "Install it first, via 'genesis do $GENESIS_ENVIRONMENT -- setup-cli'"
@@ -33,10 +33,10 @@ cf_login() {
     exit 1
   fi
 
-  system_domain="$(safe get "${cf_exodus}:system_domain")"
+  system_domain="$(safe get "${cf_exodus_path}:system_domain")"
   api_url=https://api.$system_domain
-  username="$(safe get "${cf_exodus}:admin_username")"
-  password="$(safe get "${cf_exodus}:admin_password")"
+  username="$(safe get "${cf_exodus_path}:admin_username")"
+  password="$(safe get "${cf_exodus_path}:admin_password")"
 
   #TODO enfoce ssl validation
   cf api "$api_url" --skip-ssl-validation
diff --git a/hooks/blueprint b/hooks/blueprint
index 53f3d86..6f482f6 100755
--- a/hooks/blueprint
+++ b/hooks/blueprint
@@ -8,13 +8,15 @@ manifests+=( manifests/scheduler.yml manifests/releases/scheduler.yml )
 
 if want_feature "external-postgres" ; then
   manifests+=( manifests/external-postgres.yml )
+elif want_feature "external-postgres-vault" ; then
+  manifests+=( manifests/external-postgres-vault.yml )
 else
   manifests+=( manifests/releases/postgres.yml )
 fi
 
 for want in $GENESIS_REQUESTED_FEATURES; do
   case "$want" in
-    (external-postgres|+internal-postgres) # Covered above
+    (external-postgres*|+internal-postgres) # Covered above
       true
       ;;
     (cf-route-registrar)
diff --git a/kit.yml b/kit.yml
index a760890..6cb2ad9 100644
--- a/kit.yml
+++ b/kit.yml
@@ -1,10 +1,10 @@
 name:    ocf-scheduler
-version: 0.0.1
+version: 0.0.16
 author:  Wayne E. Seguin <wayneeseguin@starkandwayne.com>
 docs:    https://github.com/cloudfoundry-community/scheduler-boshrelease
 code:    https://github.com/genesis-community/scheduler-genesis-kit
 
-genesis_version_min: 2.8.4
+genesis_version_min: 2.8.5
 
 credentials:
   +internal-postgres:
@@ -12,10 +12,33 @@ credentials:
       password: random 32 fixed
 
 provided:
-  +external-postgres:
-    role:
+  external-postgres:
+    db:
       keys:
         password:
           prompt: "Password for the external Postgresql Database"
-        username:
+
+  external-postgres-vault: # feature
+    db: # vault suffix path
+      keys: # vault keys hash
+        username: # vault key name & value
           prompt: "Username for the external Postgresql Database"
+          default: "postgres"
+        password:
+          prompt: "Password for the external Postgresql Database"
+        scheme:
+          prompt: "Scheme for the external Postgresql Database"
+          default: "postgres"
+        hostname:
+          prompt: "hostname (or IP) for the external Postgresql Database"
+          default: "127.0.0.1"
+        port:
+          prompt: "Port for the external Postgresql Database"
+          default: "5432"
+        sslmode:
+          prompt: "SSL Mode for the external Postgresql Database (disable/enable)"
+          default: "disable"
+        database:
+          prompt: "Database for the external Postgresql Database"
+          default: "postgres"
+
diff --git a/manifests/cf-route-registrar.yml b/manifests/cf-route-registrar.yml
index d618f68..969c2a7 100644
--- a/manifests/cf-route-registrar.yml
+++ b/manifests/cf-route-registrar.yml
@@ -12,17 +12,17 @@ addons:
       aliases:
       - domain: nats.service.cf.internal
         targets:
-        - deployment: (( grab meta.cf.deployment_name ))
+        - deployment: (( grab meta.cf_deployment_name ))
           domain: bosh
           instance_group: nats
-          network: (( grab params.cf.core_network ))
+          network: (( grab params.cf_core_network ))
           query: '*'
       - domain: _.nats.service.cf.internal
         targets:
-        - deployment: (( grab meta.cf.deployment_name ))
+        - deployment: (( grab meta.cf_deployment_name ))
           domain: bosh
           instance_group: nats
-          network: (( grab params.cf.core_network ))
+          network: (( grab params.cf_core_network ))
           query: _
 ---
 - type: replace
@@ -33,21 +33,21 @@ addons:
     consumes:
       nats-tls:
         from:       nats-tls
-        deployment: (( grab meta.cf.deployment_name ))
+        deployment: (( grab meta.cf_deployment_name ))
     properties:
       nats:
         tls:
           enabled: true
-          client_cert: (( grab params.nats.client_cert ))
-          client_key:  (( grab params.nats.client_key ))
+          client_cert: (( grab params.nats_client_cert ))
+          client_key:  (( grab params.nats_client_key ))
       route_registrar:
         routes:
         - name: scheduler
           port: 8000 # Scheduler API Port
           registration_interval: 10s
           uris:
-            - (( grab params.scheduler.domain ))
-        host: (( grab params.cf.system_domain ))
+            - (( grab params.scheduler_domain ))
+        host: (( grab params.cf_system_domain ))
 - type: replace
   path: /instance_groups/0/jobs/name=bpm?
   value:
diff --git a/manifests/external-postgres-vault.yml b/manifests/external-postgres-vault.yml
new file mode 100644
index 0000000..48fa50e
--- /dev/null
+++ b/manifests/external-postgres-vault.yml
@@ -0,0 +1,15 @@
+---
+params:
+  pg_scheme:   (( vault meta.vault "/db:scheme"   ))
+  pg_username: (( vault meta.vault "/db:username" ))
+  pg_password: (( vault meta.vault "/db:password" ))
+  pg_hostname: (( vault meta.vault "/db:hostname" ))
+  pg_port:     (( vault meta.vault "/db:port"     ))
+  pg_sslmode:  (( vault meta.vault "/db:sslmode"  ))
+  pg_database: (( vault meta.vault "/db:database" ))
+
+instance_groups:
+- name: scheduler
+  jobs:
+  - (( delete "postgres" ))
+
diff --git a/manifests/external-postgres.yml b/manifests/external-postgres.yml
index ada0aa3..48fa50e 100644
--- a/manifests/external-postgres.yml
+++ b/manifests/external-postgres.yml
@@ -1,13 +1,12 @@
 ---
-meta:
-  pg:
-    scheme:   (( vault meta.vault "/db:scheme"   ))
-    username: (( vault meta.vault "/db:username" ))
-    password: (( vault meta.vault "/db:password" ))
-    hostname: (( vault meta.vault "/db:hostname" ))
-    port:     (( vault meta.vault "/db:port"     ))
-    sslmode:  (( vault meta.vault "/db:sslmode"  ))
-    database: (( vault meta.vault "/db:database" ))
+params:
+  pg_scheme:   (( vault meta.vault "/db:scheme"   ))
+  pg_username: (( vault meta.vault "/db:username" ))
+  pg_password: (( vault meta.vault "/db:password" ))
+  pg_hostname: (( vault meta.vault "/db:hostname" ))
+  pg_port:     (( vault meta.vault "/db:port"     ))
+  pg_sslmode:  (( vault meta.vault "/db:sslmode"  ))
+  pg_database: (( vault meta.vault "/db:database" ))
 
 instance_groups:
 - name: scheduler
diff --git a/manifests/scheduler.yml b/manifests/scheduler.yml
index 1b314fc..14a48da 100644
--- a/manifests/scheduler.yml
+++ b/manifests/scheduler.yml
@@ -2,38 +2,33 @@
 meta:
   default:
     azs: [z1]
-  pg:
-    scheme:   (( grab params.pg.scheme   || "postgres" ))
-    username: (( grab params.pg.username || "ocf-scheduler" ))
-    password: (( grab params.pg.password || "ocf-scheduler" ))
-    hostname: (( grab params.pg.hostname || "127.0.0.1" ))
-    port:     (( grab params.pg.port     || "5432" ))
-    sslmode:  (( grab params.pg.sslmode  || "disable" ))
-    database: (( grab params.pg.database || "ocf-scheduler" ))
-  cf:
-    exodus: (( concat $GENESIS_EXODUS_MOUNT params.cf.deployment_env "/" params.cf.deployment_type ))
-    deployment_name: (( concat params.cf.deployment_env "-" params.cf.deployment_type ))
-    system_domain: (( vault "secret/exodus/" params.cf.deployment_env "/cf:system_domain" ))
 
-params:
-  cf:
-    deployment_env:  (( grab genesis.env )) # assume the same env name as cf env
-    deployment_type: cf # for crazy people using an non-"cf" cf deployment name
-    core_network:    (( vault meta.cf.exodus ":core_network" ))
-    system_domain:   (( vault meta.cf.exodus ":system_domain" ))
-    system_org:      (( vault meta.cf.exodus ":system_org" ))
-    system_space:    (( vault meta.cf.exodus ":system_space" ))
-    username:        (( vault meta.cf.exodus ":admin_username" ))
-    password:        (( vault meta.cf.exodus ":admin_password" ))
-  network:           (( grab params.cf.core_network ))
-  nats:
-    client_cert: (( vault meta.cf.exodus ":nats_client_cert" ))
-    client_key:  (( vault meta.cf.exodus ":nats_client_key" ))
-  uaa:
-    client_id:     (( vault meta.cf.exodus ":app_scheduler_client" ))
-    client_secret: (( vault meta.cf.exodus ":app_scheduler_secret" ))
-  scheduler:
-    domain:  (( concat "scheduler." meta.cf.system_domain ))
+  cf_exodus_path: (( concat $GENESIS_EXODUS_MOUNT params.cf_deployment_env "/" params.cf_deployment_type ))
+  cf_deployment_name: (( concat params.cf_deployment_env "-" params.cf_deployment_type ))
+  cf_system_domain: (( vault "secret/exodus/" params.cf_deployment_env "/cf:system_domain" ))
+
+params: # NOTE: Contract with kit & genesis is that params are flat for kits.
+  cf_deployment_env:  (( grab genesis.env )) # assume the same env name as cf env
+  cf_deployment_type: cf # for crazy people using an non-"cf" cf deployment name
+  cf_core_network:    (( vault meta.cf_exodus_path ":core_network" ))
+  cf_system_domain:   (( vault meta.cf_exodus_path ":system_domain" ))
+  cf_system_org:      (( vault meta.cf_exodus_path ":system_org" ))
+  cf_system_space:    (( vault meta.cf_exodus_path ":system_space" ))
+  cf_username:        (( vault meta.cf_exodus_path ":admin_username" ))
+  cf_password:        (( vault meta.cf_exodus_path ":admin_password" ))
+  network:            (( grab params.cf_core_network ))
+  nats_client_cert:   (( vault meta.cf_exodus_path ":nats_client_cert" ))
+  nats_client_key:    (( vault meta.cf_exodus_path ":nats_client_key" ))
+  uaa_client_id:      (( vault meta.cf_exodus_path ":app_scheduler_client" ))
+  uaa_client_secret:  (( vault meta.cf_exodus_path ":app_scheduler_secret" ))
+  scheduler_domain:   (( concat "scheduler." meta.cf_system_domain ))
+  pg_scheme:   "postgres" 
+  pg_username: "ocf-scheduler" 
+  pg_password: "ocf-scheduler" 
+  pg_hostname: "127.0.0.1" 
+  pg_port:     "5432" 
+  pg_sslmode:  "disable" 
+  pg_database: "ocf-scheduler" 
 
 instance_groups:
 - name:      scheduler
@@ -54,23 +49,23 @@ instance_groups:
     properties:
       scheduler:
         uaa:
-          client_id: (( grab params.uaa.client_id ))
-          client_secret: (( grab params.uaa.client_secret ))
-          endpoint: (( concat "https://uaa."  params.cf.system_domain ))
+          client_id: (( grab params.uaa_client_id ))
+          client_secret: (( grab params.uaa_client_secret ))
+          endpoint: (( concat "https://uaa."  params.cf_system_domain ))
         cf:
-          api: (( concat "https://api." params.cf.system_domain ))
+          api: (( concat "https://api." params.cf_system_domain ))
         postgres:
-          uri: (( concat "postgres://" meta.pg.username ":" meta.pg.password "@" meta.pg.hostname ":" meta.pg.port "/" meta.pg.database "?sslmode=" meta.pg.sslmode ))
+          uri: (( concat "postgres://" params.pg_username ":" params.pg_password "@" params.pg_hostname ":" params.pg_port "/" params.pg_database "?sslmode=" params.pg_sslmode ))
 
   - name: postgres
     properties:
       databases:
         roles:
-        - name:     (( grab meta.pg.username ))
-          password: (( grab meta.pg.password ))
+        - name:     (( grab params.pg_username ))
+          password: (( grab params.pg_password ))
         databases: 
-        - name: (( grab meta.pg.database ))
-        port:   (( grab meta.pg.port ))
+        - name: (( grab params.pg_database ))
+        port:   (( grab params.pg_port ))
     provides:
       postgres:
         as: scheduler-postgres
@@ -90,11 +85,11 @@ instance_groups:
     release: ocf-scheduler
     properties:
       cf:
-        username:     (( grab params.cf.username ))
-        password:     (( grab params.cf.password ))
-        api:          (( concat "https://api." params.cf.system_domain ))
-        organization: (( grab params.cf.system_org ))
-        space:        (( grab params.cf.system_space ))
+        username:     (( grab params.cf_username ))
+        password:     (( grab params.cf_password ))
+        api:          (( concat "https://api." params.cf_system_domain ))
+        organization: (( grab params.cf_system_org ))
+        space:        (( grab params.cf_system_space ))
 
 name: scheduler