A hardware security module (HSM) is a hardware encryption device that's connected to a server at the device level, typically using PCI, SCSI, serial, or USB interfaces. An HSM is a dedicated hardware device that is managed separately from the operating system. These modules provide a secure hardware store for CA keys, as well as a dedicated cryptographic processor to accelerate signing and encrypting operations. Windows utilizes the HSM through the CryptoAPI interfaces—the HSM functions as a cryptographic service provider (CSP) device. 

An HSM can provide secure operational management - protected by multi-layered hardware and software tokens - as well as a number of other key features, including:

• Hardware-based, cryptographic operations (such as random number generation, key generation, digital signatures, and key archive and recovery).
• Hardware protection of valuable private keys used to secure asymmetric cryptographic operations.
• Secure management of private keys.
• Acceleration of cryptographic operations. (This relieves the host server of having to perform processor-intensive, cryptographic calculations.)
• Load balancing and failover in hardware modules using multiple HSMs linked together through a daisy chain.

Additional References

• Windows 2000 Server and PKI: Using the nCipher Hardware Security Module
• Set Up a Certification Authority by Using a Hardware Security Module
• CREN: Hardware Security Modules
• SafeNet Hardware Security Modules
• Thales Hardware Security Modules
• Futurex Hardware Security Modules