diff --git a/libnm-core/nm-utils.c b/libnm-core/nm-utils.c
index 0d9118adee..68c6647784 100644
--- a/libnm-core/nm-utils.c
+++ b/libnm-core/nm-utils.c
@@ -6697,7 +6697,7 @@ nm_utils_base64secret_decode (const char *base64_key,
 
 	base64_key_len = strlen (base64_key);
 
-	r = nm_sd_utils_unbase64mem (base64_key, base64_key_len, &bin_arr, &bin_len);
+	r = nm_sd_utils_unbase64mem (base64_key, base64_key_len, TRUE, &bin_arr, &bin_len);
 	if (r < 0)
 		return FALSE;
 	if (bin_len != required_key_len) {
diff --git a/shared/systemd/nm-sd-utils-shared.c b/shared/systemd/nm-sd-utils-shared.c
index 0e89fbb7d1..ecd2749213 100644
--- a/shared/systemd/nm-sd-utils-shared.c
+++ b/shared/systemd/nm-sd-utils-shared.c
@@ -62,6 +62,8 @@ nm_sd_utils_unbase64char (char ch, gboolean accept_padding_equal)
  *   will cause the function to fail.
  * @l: the length of @p. @p is not treated as NUL terminated string but
  *   merely as a buffer of ascii characters.
+ * @secure: whether the temporary memory will be cleared to avoid leaving
+ *   secrets in memory (see also nm_explict_bzero()).
  * @mem: (transfer full): the decoded buffer on success.
  * @len: the length of @mem on success.
  *
@@ -75,8 +77,9 @@ nm_sd_utils_unbase64char (char ch, gboolean accept_padding_equal)
 int
 nm_sd_utils_unbase64mem (const char *p,
                          size_t l,
+                         gboolean secure,
                          guint8 **mem,
                          size_t *len)
 {
-	return unbase64mem (p, l, (void **) mem, len);
+	return unbase64mem_full (p, l, secure, (void **) mem, len);
 }
diff --git a/shared/systemd/nm-sd-utils-shared.h b/shared/systemd/nm-sd-utils-shared.h
index eddf0c285a..b3b77c8842 100644
--- a/shared/systemd/nm-sd-utils-shared.h
+++ b/shared/systemd/nm-sd-utils-shared.h
@@ -31,7 +31,11 @@ const char *nm_sd_utils_path_startswith (const char *path, const char *prefix);
 
 int nm_sd_utils_unbase64char (char ch, gboolean accept_padding_equal);
 
-int nm_sd_utils_unbase64mem (const char *p, size_t l, guint8 **mem, size_t *len);
+int nm_sd_utils_unbase64mem (const char *p,
+                             size_t l,
+                             gboolean secure,
+                             guint8 **mem,
+                             size_t *len);
 
 /*****************************************************************************/
 
diff --git a/src/tests/test-systemd.c b/src/tests/test-systemd.c
index 91edcab24a..20cbd50efd 100644
--- a/src/tests/test-systemd.c
+++ b/src/tests/test-systemd.c
@@ -269,12 +269,12 @@ _test_unbase64mem_mem (const char *base64, const guint8 *expected_arr, gsize exp
 	for (i = 0; expected_base64[i]; i++)
 		_test_unbase64char (expected_base64[i], FALSE);
 
-	r = nm_sd_utils_unbase64mem (expected_base64, strlen (expected_base64), &exp2_arr, &exp2_len);
+	r = nm_sd_utils_unbase64mem (expected_base64, strlen (expected_base64), TRUE, &exp2_arr, &exp2_len);
 	g_assert_cmpint (r, ==, 0);
 	g_assert_cmpmem (expected_arr, expected_len, exp2_arr, exp2_len);
 
 	if (!nm_streq (base64, expected_base64)) {
-		r = nm_sd_utils_unbase64mem (base64, strlen (base64), &exp3_arr, &exp3_len);
+		r = nm_sd_utils_unbase64mem (base64, strlen (base64), TRUE, &exp3_arr, &exp3_len);
 		g_assert_cmpint (r, ==, 0);
 		g_assert_cmpmem (expected_arr, expected_len, exp3_arr, exp3_len);
 	}
@@ -289,7 +289,7 @@ _test_unbase64mem_inval (const char *base64)
 	gsize exp_len = 0;
 	int r;
 
-	r = nm_sd_utils_unbase64mem (base64, strlen (base64), &exp_arr, &exp_len);
+	r = nm_sd_utils_unbase64mem (base64, strlen (base64), TRUE, &exp_arr, &exp_len);
 	g_assert_cmpint (r, <, 0);
 	g_assert (!exp_arr);
 	g_assert (exp_len == 0);