diff --git a/src/eap-peap.c b/src/eap-peap.c
index f1c67ac6..66cfa42f 100644
--- a/src/eap-peap.c
+++ b/src/eap-peap.c
@@ -201,6 +201,7 @@ static bool eap_peap_tunnel_ready(struct eap_state *eap,
 								msk_emsk, 128);
 
 	eap_set_key_material(eap, msk_emsk + 0, 64, NULL, 0, NULL, 0);
+	explicit_bzero(msk_emsk, sizeof(msk_emsk));
 
 	eap_tls_common_send_empty_response(eap);
 
diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index a86cadfc..3742ab18 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -912,6 +912,10 @@ done:
 			(l_queue_destroy_func_t) l_cert_free);
 	l_certchain_free(cert);
 	l_key_free(priv_key);
+
+	if (passphrase)
+		explicit_bzero(passphrase, strlen(passphrase));
+
 	return ret;
 }
 
diff --git a/src/eap-tls.c b/src/eap-tls.c
index 88b26f61..56189ea7 100644
--- a/src/eap-tls.c
+++ b/src/eap-tls.c
@@ -49,6 +49,8 @@ static bool eap_tls_tunnel_ready(struct eap_state *eap,
 									iv, 64);
 
 	eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, iv, 64);
+	explicit_bzero(msk_emsk, sizeof(msk_emsk));
+	explicit_bzero(iv, sizeof(iv));
 
 	eap_tls_common_send_empty_response(eap);