The Full Form of HSM is‍ Hardware Security Module.

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips

The hardware security module (HSM) is a special “trusted” network computer performing a variety of cryptographic operations: key management, key exchange, encryption etc.

It seems to be obvious that cryptographic operations must be performed in a trusted environment. When I say trusted, I mean “no viruses, no malware, no exploit, no unauthorized access.” An HSM is trusted because it:

1. Is built on top of specialized hardware. The hardware is well-tested and certified in special laboratories.
2. Has a security-focused OS.
3. Has limited access via a network interface that is strictly controlled by internal rules.
4. Actively hides and protects cryptographic material.

An ordinary, run-of-the-mill program writer mixes the database access code, business-logic and cryptographic calls in one big application. This is a dangerous approach as an attacker can use crafted data and vulnerabilities to access cryptographic material, steal keys, install an arbitrary X.509 certificate and so on. In one case that I know of, an XML vulnerability opened a door to a hacker who installed a root certificate to the trusted CA and stole $20 million.

To prevent scenarios like this, we need to separate the operations into two different areas. One for the business logic and one for cryptography.  You then need to entrust the cryptographic operation to a trusted computer aka an HSM.