General-purpose processors are not suitable for secure cryptographic key management. Secret keys are usually stored in the internal registers of the processor, and simple attacks on protocols, software/firmware or cache memory can often lead to key disclosure causing a system security failure. The paper presents a novel principle of processor extensions that enable secure key management. This principle is based on the creation and physical separation of three security zones: processor, cipher and key storage. In each of the three zones, the secret keys are manipulated in a different manner - as ordinary data or keys, in clear or encrypted. In order to increase security, the security zones are separated from each other on the protocol, architectural and physical level. The proposed principle is validated as extensions to both NIOS II and MicroBlaze processors. The NIOS II processor needs fewer clock cycles per data block encryption, because the security module is included in the processor's data path. The data path of the MicroBlaze is unchanged, and thus shorter, but additional clock cycles are necessary for data transfers between the processor and the security module. Although the interfacing is different, both processors attain the required high security level.