Index: sys/netipsec/key.c
===================================================================
--- sys/netipsec/key.c
+++ sys/netipsec/key.c
@@ -3060,27 +3060,19 @@
 	if (sav->flags & SADB_X_EXT_F_CLONED)
 		return;
 	/*
-	 * Cleanup xform state.  Note that zeroize'ing causes the
-	 * keys to be cleared; otherwise we must do it ourself.
+	 * Cleanup xform state.
 	 */
 	if (sav->tdb_xform != NULL) {
 		sav->tdb_xform->xf_zeroize(sav);
 		sav->tdb_xform = NULL;
-	} else {
-		if (sav->key_auth != NULL)
-			bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
-		if (sav->key_enc != NULL)
-			bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
 	}
 	if (sav->key_auth != NULL) {
-		if (sav->key_auth->key_data != NULL)
-			free(sav->key_auth->key_data, M_IPSEC_MISC);
+		zfree(sav->key_auth->key_data, M_IPSEC_MISC);
 		free(sav->key_auth, M_IPSEC_MISC);
 		sav->key_auth = NULL;
 	}
 	if (sav->key_enc != NULL) {
-		if (sav->key_enc->key_data != NULL)
-			free(sav->key_enc->key_data, M_IPSEC_MISC);
+		zfree(sav->key_enc->key_data, M_IPSEC_MISC);
 		free(sav->key_enc, M_IPSEC_MISC);
 		sav->key_enc = NULL;
 	}
Index: sys/netipsec/xform_ah.c
===================================================================
--- sys/netipsec/xform_ah.c
+++ sys/netipsec/xform_ah.c
@@ -250,9 +250,6 @@
 ah_zeroize(struct secasvar *sav)
 {
 
-	if (sav->key_auth)
-		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
-
 	crypto_freesession(sav->tdb_cryptoid);
 	sav->tdb_cryptoid = NULL;
 	sav->tdb_authalgxform = NULL;
Index: sys/netipsec/xform_esp.c
===================================================================
--- sys/netipsec/xform_esp.c
+++ sys/netipsec/xform_esp.c
@@ -243,11 +243,9 @@
 static int
 esp_zeroize(struct secasvar *sav)
 {
-	/* NB: ah_zerorize free's the crypto session state */
+	/* NB: ah_zeroize free's the crypto session state */
 	int error = ah_zeroize(sav);
 
-	if (sav->key_enc)
-		bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
 	sav->tdb_encalgxform = NULL;
 	sav->tdb_xform = NULL;
 	return error;
Index: sys/netipsec/xform_tcp.c
===================================================================
--- sys/netipsec/xform_tcp.c
+++ sys/netipsec/xform_tcp.c
@@ -365,8 +365,6 @@
 tcpsignature_zeroize(struct secasvar *sav)
 {
 
-	if (sav->key_auth != NULL)
-		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
 	sav->tdb_xform = NULL;
 	return (0);
 }