diff --git a/src/eapol.c b/src/eapol.c
index bb3defed..94966e56 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -1247,9 +1247,10 @@ static void eapol_send_ptk_3_of_4(struct eapol_sm *sm)
 	}
 
 	kek = handshake_state_get_kek(sm->handshake);
-
 	key_data_len = eapol_encrypt_key_data(kek, key_data_buf,
-					key_data_len, ek, sm->mic_len);
+						key_data_len, ek, sm->mic_len);
+	explicit_bzero(key_data_buf, sizeof(key_data_buf));
+
 	if (key_data_len < 0)
 		return;
 
@@ -1900,6 +1901,9 @@ static void eapol_key_handle(struct eapol_sm *sm,
 	}
 
 done:
+	if (decrypted_key_data)
+		explicit_bzero(decrypted_key_data, key_data_len);
+
 	l_free(decrypted_key_data);
 }
 
diff --git a/src/handshake.c b/src/handshake.c
index 6e7b7c4a..97aff416 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -79,9 +79,13 @@ void handshake_state_free(struct handshake_state *s)
 	l_free(s->supplicant_ie);
 	l_free(s->mde);
 	l_free(s->fte);
-	l_free(s->passphrase);
 
-	memset(s, 0, sizeof(*s));
+	if (s->passphrase) {
+		explicit_bzero(s->passphrase, strlen(s->passphrase));
+		l_free(s->passphrase);
+	}
+
+	explicit_bzero(s, sizeof(*s));
 
 	if (destroy)
 		destroy(s);