diff --git a/aws-lc-rs/src/cipher.rs b/aws-lc-rs/src/cipher.rs
index 50957aced22..4fe1c244b2f 100644
--- a/aws-lc-rs/src/cipher.rs
+++ b/aws-lc-rs/src/cipher.rs
@@ -659,6 +659,7 @@ fn encrypt_aes_ctr_mode(
     let mut buffer = [0u8; AES_BLOCK_LEN];
 
     aes_ctr128_encrypt(key, &mut iv, &mut buffer, in_out);
+    iv.zeroize();
 
     Ok(context)
 }
@@ -692,6 +693,7 @@ fn encrypt_aes_cbc_mode(
     };
 
     aes_cbc_encrypt(key, &mut iv, in_out);
+    iv.zeroize();
 
     Ok(context)
 }
@@ -716,6 +718,7 @@ fn decrypt_aes_cbc_mode(
     };
 
     aes_cbc_decrypt(key, &mut iv, in_out);
+    iv.zeroize();
 
     Ok(context)
 }
diff --git a/aws-lc-rs/src/iv.rs b/aws-lc-rs/src/iv.rs
index 14953a0df7a..2a4385afd60 100644
--- a/aws-lc-rs/src/iv.rs
+++ b/aws-lc-rs/src/iv.rs
@@ -8,6 +8,7 @@
 
 use crate::error::Unspecified;
 use crate::{error, rand};
+use zeroize::Zeroize;
 
 /// An initalization vector that must be unique for the lifetime of the associated key
 /// it is used with.
@@ -53,6 +54,12 @@ impl<const L: usize> FixedLength<L> {
     }
 }
 
+impl<const L: usize> Drop for FixedLength<L> {
+    fn drop(&mut self) {
+        self.0.zeroize();
+    }
+}
+
 impl<const L: usize> AsMut<[u8; L]> for FixedLength<L> {
     #[inline]
     fn as_mut(&mut self) -> &mut [u8; L] {