If the HSM integration must be reversed - for example, due to HSM hardware failure or a network outage that prevents the Kron PAM server from reaching the device - the dek-rotator.jar tool provides a Migrate master key from HSM option (menu option 3). This operation performs the reverse migration: it re-encrypts all DEK records using a software-based master key, allowing the key provider to be switched back to 'file'.
Before initiating rollback, ensure you have the software master key value available. The tool will prompt for it during the migration. After the migration completes, set kron.crypto.keyProvider back to its original value in security.properties and restart Kron PAM services.