diff --git a/include/polarssl/ctr_drbg.h b/include/polarssl/ctr_drbg.h
index 4b5a444a56..bebbfe9311 100644
--- a/include/polarssl/ctr_drbg.h
+++ b/include/polarssl/ctr_drbg.h
@@ -130,6 +130,13 @@ int ctr_drbg_init( ctr_drbg_context *ctx,
                    const unsigned char *custom,
                    size_t len );
 
+/**
+ * \brief               Clear CTR_CRBG context data
+ *
+ * \param ctx           CTR_DRBG context to clear
+ */
+void ctr_drbg_free( ctr_drbg_context *ctx );
+
 /**
  * \brief               Enable / disable prediction resistance (Default: Off)
  *
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 249b840695..96ee4f1625 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -48,6 +48,11 @@
 #define polarssl_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * Non-public function wrapped by ctr_crbg_init(). Necessary to allow NIST
  * tests to succeed (which require known length fixed entropy)
@@ -95,6 +100,15 @@ int ctr_drbg_init( ctr_drbg_context *ctx,
                                        CTR_DRBG_ENTROPY_LEN ) );
 }
 
+void ctr_drbg_free( ctr_drbg_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    aes_free( &ctx->aes_ctx );
+    polarssl_zeroize( ctx, sizeof( ctr_drbg_context ) );
+}
+
 void ctr_drbg_set_prediction_resistance( ctr_drbg_context *ctx, int resistance )
 {
     ctx->prediction_resistance = resistance;