diff --git a/store/keychain/internal/go-keychain/secretservice/dh_ietf1024_sha256_aes128_cbc_pkcs7.go b/store/keychain/internal/go-keychain/secretservice/dh_ietf1024_sha256_aes128_cbc_pkcs7.go
index 3547a1bd..cf727ce4 100644
--- a/store/keychain/internal/go-keychain/secretservice/dh_ietf1024_sha256_aes128_cbc_pkcs7.go
+++ b/store/keychain/internal/go-keychain/secretservice/dh_ietf1024_sha256_aes128_cbc_pkcs7.go
@@ -67,6 +67,7 @@ func (group *dhGroup) keygenHKDFSHA256AES128(theirPublic, myPrivate *big.Int) ([
 		return nil, err
 	}
 	sharedSecretBytes := sharedSecret.Bytes()
+	defer clear(sharedSecretBytes)
 
 	r := hkdf.New(sha256.New, sharedSecretBytes, nil, nil)
 
@@ -81,6 +82,7 @@ func (group *dhGroup) keygenHKDFSHA256AES128(theirPublic, myPrivate *big.Int) ([
 
 func unauthenticatedAESCBCEncrypt(unpaddedPlaintext, key []byte) (iv, ciphertext []byte, err error) {
 	paddedPlaintext := padPKCS7(unpaddedPlaintext, aes.BlockSize)
+	defer clear(paddedPlaintext)
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, nil, err
diff --git a/store/keychain/keychain_linux.go b/store/keychain/keychain_linux.go
index 11397ea7..39414a17 100644
--- a/store/keychain/keychain_linux.go
+++ b/store/keychain/keychain_linux.go
@@ -207,6 +207,8 @@ func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret,
 	if err != nil {
 		return nil, err
 	}
+	defer clear(value)
+
 	secret := k.factory(ctx, id)
 	if err := secret.SetMetadata(attributes); err != nil {
 		return nil, err
@@ -317,6 +319,7 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec
 	if err != nil {
 		return err
 	}
+	defer clear(value)
 
 	sessSecret, err := session.NewSecret(value)
 	if err != nil {
@@ -422,11 +425,14 @@ func (k *keychainStore[T]) Filter(ctx context.Context, pattern store.Pattern) (m
 
 		secret := k.factory(ctx, secretID)
 		if err := secret.SetMetadata(attributes); err != nil {
+			clear(value)
 			return nil, err
 		}
 		if err := secret.Unmarshal(value); err != nil {
+			clear(value)
 			return nil, err
 		}
+		clear(value)
 
 		credentials[secretID] = secret
 	}
diff --git a/store/keychain/keychain_windows.go b/store/keychain/keychain_windows.go
index 4642334a..81625df8 100644
--- a/store/keychain/keychain_windows.go
+++ b/store/keychain/keychain_windows.go
@@ -60,6 +60,7 @@ func encodeSecret(secret store.Secret) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+	defer clear(data)
 
 	encoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder()
 	blob, _, err := transform.Bytes(encoder, data)
@@ -77,6 +78,7 @@ func decodeSecret(blob []byte, secret store.Secret) error {
 	if err != nil {
 		return err
 	}
+	defer clear(val)
 
 	return secret.Unmarshal(val)
 }
@@ -292,6 +294,7 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec
 	if err != nil {
 		return err
 	}
+	defer clear(blob)
 
 	attributes := make(map[string]string)
 	maps.Copy(attributes, secret.Metadata())
@@ -405,8 +408,10 @@ func (k *keychainStore[T]) Filter(ctx context.Context, pattern store.Pattern) (m
 		}
 
 		if err := secret.Unmarshal(blob); err != nil {
+			clear(blob)
 			return nil, err
 		}
+		clear(blob)
 		secrets[id] = secret
 	}