The Device Key Encryption Key (DKEK) is an AES-256 key stored in the SmartCard-HSM. It is used to securely export or import key material.
The questions is: Where does that key come from ? The DKEK Share is the answer. The final DKEK in the SmartCard-HSM is assembled from DKEK shares in a XOR operation. After you initialize the device, a temporary buffer is initialized with all 00. Then you import the first DKEK share and that is updating the buffer in an XOR operation. Then you import the next DKEK share and again the value in the buffer is XORed. After you have imported all shares, the final DKEK value is in the buffer is the result of performing XOR operations on all DKEK shares. That way the confidentiality of the DKEK is maintained by splitting the secret in n-XOR shares.
Of course each DKEK share contains a part of the final secret, so that must be kept confidential as well. One way could be, that the key custodian himself creates a password with 256 bit entropy. That is however not really feasible. Instead the sc-hsm-tool generates a DKEK share using the random number generator in the SmartCard-HSM and then encrypts the DKEK share using a password supplied by the key custodian. That way the entropy of the supplied password can be lower that the actual DKEK share.
An adversary needs both, the encrypted DKEK share file and the password. And that from all key custodians involved in creating the DKEK.
Additionally, access to the DKEK share can be controlled by a n-of-m threshold scheme. So rather than providing a password to decrypt the DKEK share, n of the m assigned key custodians must present their password to decrypt the DKEK share.