diff --git a/src/traffic.rs b/src/traffic.rs
index 850524ccc6fd5325289fbdeb9e526c0c095b1d45..4324c1f2a966820e954219b58160dd99a5517067 100644
--- a/src/traffic.rs
+++ b/src/traffic.rs
@@ -290,7 +290,13 @@ impl<'a> TrafIn<'a> {
             _ => ()
         }
     }
+}
 
+impl<'a> Drop for TrafIn<'a> {
+    fn drop(&mut self) {
+        // clear any decrypted content
+        self.buf.zeroize()
+    }
 }
 
 impl<'a> TrafOut<'a> {
@@ -399,6 +405,13 @@ impl<'a> TrafOut<'a> {
 
 }
 
+impl<'a> Drop for TrafOut<'a> {
+    fn drop(&mut self) {
+        // clear any pre-encryption content
+        self.buf.zeroize()
+    }
+}
+
 /// Convenience to pass TrafOut with keys
 pub(crate) struct TrafSend<'s, 'a> {
     out: &'s mut TrafOut<'a>,