The point is to have the decryption done on a system that is isolated from the production environment (and is consequently isolated from security compromises).