A hardware security module (HSM) is a hardware encryption device that's connected to a server at the device level, typically using PCI, SCSI, serial, or USB interfaces. An HSM is a dedicated hardware device that is managed separately from the operating system. These modules provide a secure hardware store for CA keys, as well as a dedicated cryptographic processor to accelerate signing and encrypting operations. Windows utilizes the HSM through the CryptoAPI interfaces—the HSM functions as a cryptographic service provider (CSP) device. 

An HSM can provide secure operational management - protected by multi-layered hardware and software tokens - as well as a number of other key features, including:

  • Hardware-based, cryptographic operations (such as random number generation, key generation, digital signatures, and key archive and recovery).
  • Hardware protection of valuable private keys used to secure asymmetric cryptographic operations.
  • Secure management of private keys.
  • Acceleration of cryptographic operations. (This relieves the host server of having to perform processor-intensive, cryptographic calculations.)
  • Load balancing and failover in hardware modules using multiple HSMs linked together through a daisy chain.

Additional References
Windows 2000 Server and PKI: Using the nCipher Hardware Security Module
Set Up a Certification Authority by Using a Hardware Security Module
CREN: Hardware Security Modules
SafeNet Hardware Security Modules
Thales Hardware Security Modules