If Kron PAM has just been installed and the t_dek table in the database is empty, there are no DEK records to migrate. In this case, activating HSM-based key storage is a one-line change to security.properties:
kron.crypto.keyProvider = hsm
Add or update this line in /pam/kron/security/security.properties. Once this change is saved, start Kron PAM services and the system will begin generating new DEK records backed by the HSM master key from first use.