It's cryptographic marketing spiel to convince end users to pay double.
This is about hardware. All it means is that the cryptographic key(s), typically generated via a true random process, is/are never sent outside of the physical device. The best way to illustrate this is by example: https://www.maximintegrated.com/en/design/partners-and-technology/design-technology/chipdna-puf-technology.html. They say:-
Most importantly, the ChipDNA secure key never resides statically in registers or memory, nor does it ever leave the electrical boundary of the IC.
My above example is a physical unclonable function (PUF) designed for secure authentication. You might have one in a posh printer cartridge or embedded microcontroller.
if one user generates a key another user takes management and control. how devices do this?
That would be the case for a key generator/ true random number generator or quantum key distribution node. But not for authentication. There is no need to give out a private key in authentication use cases. The device seals itself off from the external world to either securely sign unpredictable keys, or completely destroy them with no possibility to recall. That way the signature/destroy processes can't be interfered with.
That simply means new keys (TRNG in the schematics) are obfuscated by some one way function; SHA-3 in this case. And in conjunction with a "SHA3 SECRET", probably a general device key owned by Maxim (and the PUF part). That creates an ersatz keyed hash function. The SHA3 SECRET key(s) is/are not directly accessible by any input/output circuits.
It's unlikely that users will ever know the true details as this is proprietary intellectual property and can't be easily audited. FIPS 140-2 is just the applicable standard to which such devices are made.
Zeroization is what it sounds like. That and the key obfuscation are to prevent key extraction discussed in this question.
