diff --git a/components/net/sf/briar/transport/ConnectionRecogniserImpl.java b/components/net/sf/briar/transport/ConnectionRecogniserImpl.java
index 745aaf842f557eafb7e8a08a854b7163ea9d6666..6603de1a6657a40ae4d385236622ec6f278f089e 100644
--- a/components/net/sf/briar/transport/ConnectionRecogniserImpl.java
+++ b/components/net/sf/briar/transport/ConnectionRecogniserImpl.java
@@ -34,6 +34,7 @@ import net.sf.briar.api.protocol.TransportIndex;
 import net.sf.briar.api.transport.ConnectionContext;
 import net.sf.briar.api.transport.ConnectionRecogniser;
 import net.sf.briar.api.transport.ConnectionWindow;
+import net.sf.briar.util.ByteUtils;
 
 import com.google.inject.Inject;
 
@@ -72,6 +73,12 @@ DatabaseListener {
 				// The contact was removed - clean up in eventOccurred()
 			}
 		}
+		Runtime.getRuntime().addShutdownHook(new Thread() {
+			@Override
+			public void run() {
+				eraseSecrets();
+			}
+		});
 		initialised = true;
 	}
 
@@ -88,12 +95,12 @@ DatabaseListener {
 	private synchronized void calculateIvs(ContactId c, TransportIndex i,
 			ConnectionWindow w) throws DbException {
 		for(Entry<Long, byte[]> e : w.getUnseen().entrySet()) {
-			long unseen = e.getKey();
+			long connection = e.getKey();
 			byte[] secret = e.getValue();
 			ErasableKey ivKey = crypto.deriveIvKey(secret, true);
-			Bytes iv = new Bytes(encryptIv(i, unseen, ivKey));
+			Bytes iv = new Bytes(encryptIv(i, connection, ivKey));
 			ivKey.erase();
-			expected.put(iv, new Context(c, i, unseen, w));
+			expected.put(iv, new Context(c, i, connection, w));
 		}
 	}
 
@@ -112,6 +119,12 @@ DatabaseListener {
 		}
 	}
 
+	private synchronized void eraseSecrets() {
+		for(Context c : expected.values()) {
+			for(byte[] b : c.window.getUnseen().values()) ByteUtils.erase(b);
+		}
+	}
+
 	public synchronized ConnectionContext acceptConnection(byte[] encryptedIv)
 	throws DbException {
 		if(encryptedIv.length != IV_LENGTH)