The first key is called the "Tamper" key and is known only to the manufacturer of the unit (and in fact no human at the manufactuer knows the actual tamper key, but how that is accomplished goes beyond the scope of this document).
The second key is broken into 7 pieces which are stored on small plastic keys called "Crypto Ignition Keys" (or just CIKs). In order to recover this second DES key requires the use of at least 2 of these CIKs.
When the IPRA key is required to sign a certificate, the signature unit will request that two CIKs be inserted (they actually are inserted one after the other into the same key slot). The IPRA private key is then decrypted using both the unit's tamper key as well as the DES key recovered from the two CIKs.
What happens if the unit breaks, how is the IPRA private key recovered?
The answer is quite simple. The encrypted IPRA private key is stored on a cryptographic fill device (basically it is another CIK like plastic key, only larger) encrypted in both the CIK key and the tamper key.
A replacement unit can be delivered from the factor that contains the same tamper key. Using this replacement unit, the IPRA private key can be loaded from the cryptographic fill device.
Why the bother?
The answer to this question is also simple. By using this secure technology to store the IPRA private key ensures that it cannot be disclosed to any person and from there abused. In fact because the CIKs are personally held by individuals, and two are required to recover the CIK DES key, two people are required to make use of the IPRA private key.
The actual Certificate Signature Unit we are using to store the IPRA key is the SafeKeyper (tm) manufactured by the BBN Corporation in collaboration with RSA Data Security, Inc.