With the libraries deployed, configuration files created, and passwords registered, the final phase is to activate HSM-based key storage within Kron PAM. The correct procedure depends on whether this is a new installation or an existing deployment. The distinction is important because an existing deployment has DEK records in the database that are currently encrypted under the software-based master key; those records must be re-encrypted under the new HSM key before the software key provider is deactivated.
