diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
index a38e28192d..362d6f6440 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
@@ -517,18 +517,24 @@ public abstract class OpenSslContext extends SslContext {
                 try {
                     buffer.writeBytes(encodedBuf);
                 } finally {
-                    encodedBuf.release();
+                    zerooutAndRelease(encodedBuf);
                 }
             } finally {
-                wrappedBuf.release();
+                zerooutAndRelease(wrappedBuf);
             }
             buffer.writeBytes(END_PRIVATE_KEY);
             return newBIO(buffer);
         } finally {
-            buffer.release();
+            // Zero out the buffer and so the private key it held.
+            zerooutAndRelease(buffer);
         }
     }
 
+    private static void zerooutAndRelease(ByteBuf buffer) {
+        buffer.setZero(0, buffer.capacity());
+        buffer.release();
+    }
+
     /**
      * Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
      * or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.