diff --git a/lib/hdb/common.c b/lib/hdb/common.c
index 41bcfdd54..a30dfec21 100644
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -999,7 +999,7 @@ derive_keys(krb5_context context,
     base_keys.val = 0;
     base_keys.len = 0;
     if (ret == 0)
-        ret = hdb_remove_base_keys(context, h, &base_keys);
+        ret = _hdb_remove_base_keys(context, h, &base_keys, &kr);
 
     /* Make sure we have h->etypes */
     if (ret == 0 && !h->etypes)
diff --git a/lib/hdb/hdb.c b/lib/hdb/hdb.c
index fb69152e6..11932ca90 100644
--- a/lib/hdb/hdb.c
+++ b/lib/hdb/hdb.c
@@ -232,38 +232,25 @@ hdb_remove_keys(krb5_context context,
  * @param context Context
  * @param e The HDB entry
  * @param ks A pointer to a variable of type HDB_Ext_KeySet
+ * @param ckr A pointer to stable (copied) HDB_Ext_KeyRotation
  *
  * @return Zero on success, an error code otherwise.
  */
 krb5_error_code
-hdb_remove_base_keys(krb5_context context,
-                     hdb_entry *e,
-                     HDB_Ext_KeySet *base_keys)
+_hdb_remove_base_keys(krb5_context context,
+                      hdb_entry *e,
+                      HDB_Ext_KeySet *base_keys,
+                      const HDB_Ext_KeyRotation *ckr)
 {
-    krb5_error_code ret;
-    const HDB_Ext_KeyRotation *ckr;
-    HDB_Ext_KeyRotation kr;
+    krb5_error_code ret = 0;
     size_t i, k;
 
-    ret = hdb_entry_get_key_rotation(context, e, &ckr);
-    if (!ckr)
-        return 0;
-
-    if (ret == 0) {
-        /*
-         * Changing the entry's extensions invalidates extensions obtained
-         * before the change.
-         */
-        ret = copy_HDB_Ext_KeyRotation(ckr, &kr);
-        ckr = NULL;
-    }
     base_keys->len = 0;
-    if (ret == 0 &&
-        (base_keys->val = calloc(kr.len, sizeof(base_keys->val[0]))) == NULL)
+    if ((base_keys->val = calloc(ckr->len, sizeof(base_keys->val[0]))) == NULL)
         ret = krb5_enomem(context);
 
-    for (k = i = 0; ret == 0 && i < kr.len; i++) {
-        const KeyRotation *krp = &kr.val[i];
+    for (k = i = 0; ret == 0 && i < ckr->len; i++) {
+        const KeyRotation *krp = &ckr->val[i];
 
         /*
          * WARNING: O(N * M) where M is number of keysets and N is the number
@@ -284,7 +271,6 @@ hdb_remove_base_keys(krb5_context context,
         base_keys->len = k;
     else
         free_HDB_Ext_KeySet(base_keys);
-    free_HDB_Ext_KeyRotation(&kr);
     return 0;
 }
 
diff --git a/lib/hdb/libhdb-exports.def b/lib/hdb/libhdb-exports.def
index a124f93f6..72a7fb7aa 100644
--- a/lib/hdb/libhdb-exports.def
+++ b/lib/hdb/libhdb-exports.def
@@ -69,7 +69,6 @@ EXPORTS
 	hdb_prune_keys
 	hdb_prune_keys_kvno
 	hdb_read_master_key
-	hdb_remove_base_keys
 	hdb_remove_keys
 	hdb_replace_extension
 	hdb_seal_key
diff --git a/lib/hdb/version-script.map b/lib/hdb/version-script.map
index 0846f7337..058060dae 100644
--- a/lib/hdb/version-script.map
+++ b/lib/hdb/version-script.map
@@ -70,7 +70,6 @@ HEIMDAL_HDB_1.0 {
 		hdb_prune_keys;
 		hdb_prune_keys_kvno;
 		hdb_read_master_key;
-		hdb_remove_base_keys;
 		hdb_remove_keys;
 		hdb_replace_extension;
 		hdb_seal_key;