Index: sys/conf/options
===================================================================
--- sys/conf/options
+++ sys/conf/options
@@ -1021,3 +1021,10 @@
 IICHID_SAMPLING	opt_hid.h
 HKBD_DFLT_KEYMAP	opt_hkbd.h
 HIDRAW_MAKE_UHID_ALIAS	opt_hid.h
+
+# kenv options
+# The early kernel environment (loader environment, config(8)-provided static)
+# is typically cleared after the dynamic environment comes up to ensure that
+# we're not inadvertently holding on to 'secret' values in these stale envs.
+# This option is theoretically insecure.
+PRESERVE_EARLY_KENV	opt_kenv.h
Index: sys/kern/kern_environment.c
===================================================================
--- sys/kern/kern_environment.c
+++ sys/kern/kern_environment.c
@@ -39,6 +39,8 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include "opt_kenv.h"
+
 #include <sys/param.h>
 #include <sys/proc.h>
 #include <sys/queue.h>
@@ -365,7 +367,11 @@
 			kenvp[i] = malloc(len, M_KENV, M_WAITOK);
 			strcpy(kenvp[i++], cp);
 sanitize:
+#ifdef PRESERVE_EARLY_KENV
+			continue;
+#else
 			explicit_bzero(cp, len - 1);
+#endif
 		}
 		*curpos = i;
 	}