Before starting Kron PAM services, open security.properties and confirm that kron.crypto.keyProvider is set to hsm. This is the switch that tells the Kron PAM application to route all master key operations through the HSM. Any other value - such as the default 'file' - means the software key is still in use regardless of all other configuration.
Once confirmed, start Kron PAM Web GUI and other services:
[pamuser@KronPAM_Instance]# systemctl restart pam-gui
After the service starts, log in to the Kron PAM console and verify that session creation, credential retrieval, and vault access all work correctly. These operations exercise the full key hierarchy - DEK retrieval, decryption via the master key, and data access - and a successful round-trip confirms that HSM integration is working end-to-end.
Check /var/log/utimaco/ after PAM starts. You should see entries corresponding to the key lookup and initial cryptographic operations. Ongoing activity in this log confirms that the PAM application is actively using the HSM rather than falling back to any cached or software-based key material.