When used in cryptographic applications, generalpurpose processors are often completed by a cryptographic accelerator - crypto-coprocessor. Secret keys are usually stored in the internal registers of the processor, and are vulnerable to attacks on protocols, software/firmware or cache memory. The paper presents three ways of extending soft general purpose processors for cryptographic applications. The proposed extension is aimed at symmetric key cryptography and it guarantees secure key management. Three security zones are created and physically separated in each of three configurations: processor, cipher and key storage zones. In the three zones, the secret keys are manipulated in a different manner - in clear or enciphered, as common data or keys. The security zones are separated on the protocol, system, architectural and physical levels. The proposed principle is validated on Altera NIOS II, Xilinx MicroBlaze and Actel Cortex M1 soft core processor extensions. The NIOS II processor needs fewer clock cycles per data block encryption, because the security module is included in the processor's data path. The data path of the MicroBlaze is unchanged and thus shorter, but additional clock cycles are necessary for data transfers between the processor and the security module. The Cortex M1 processor is connected via AHB bus and the cryptographic extension is accessed as an ordinary peripheral - a coprocessor. Although the interfacing is different, the three processors with their extensions attain the required high security level.