diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
index 5a7ecf85bd8c..f177fc7c5dcf 100644
--- a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
+++ b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
@@ -55,8 +55,9 @@ public CngCbcAuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)
             return null;
         }
 
+        using var key = new Secret(secret);
         return new CbcAuthenticatedEncryptor(
-            keyDerivationKey: new Secret(secret),
+            keyDerivationKey: key,
             symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(configuration),
             symmetricAlgorithmKeySizeInBytes: (uint)(configuration.EncryptionAlgorithmKeySize / 8),
             hmacAlgorithmHandle: GetHmacAlgorithmHandle(configuration));
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
index b597eca4ec02..de824a67a859 100644
--- a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
+++ b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
@@ -57,8 +57,9 @@ public CngGcmAuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)
             return null;
         }
 
+        using var key = new Secret(secret);
         return new CngGcmAuthenticatedEncryptor(
-            keyDerivationKey: new Secret(secret),
+            keyDerivationKey: key,
             symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(configuration),
             symmetricAlgorithmKeySizeInBytes: (uint)(configuration.EncryptionAlgorithmKeySize / 8));
     }
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index 35e6f0693231..518b33cc09c5 100644
--- a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -44,7 +44,8 @@ void IInternalAlgorithmConfiguration.Validate()
     {
         var factory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
         // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-        var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this);
+        using var secret = Secret.Random(512 / 8);
+        var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);
         try
         {
             encryptor.PerformSelfTest();
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index 1f5b5af4fb18..b048f6ab7db9 100644
--- a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -94,9 +94,8 @@ void IInternalAlgorithmConfiguration.Validate()
     {
         var factory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
         // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-        using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
-        {
-            encryptor.PerformSelfTest();
-        }
+        using var secret = Secret.Random(512 / 8);
+        using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);
+        encryptor.PerformSelfTest();
     }
 }
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index 2d1e56805354..0b2db63c4f3b 100644
--- a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -70,9 +70,8 @@ void IInternalAlgorithmConfiguration.Validate()
     {
         var factory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
         // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-        using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
-        {
-            encryptor.PerformSelfTest();
-        }
+        using var secret = Secret.Random(512 / 8);
+        using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);
+        encryptor.PerformSelfTest();
     }
 }
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index 8a9262c666ff..9ee20854dae7 100644
--- a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -73,10 +73,9 @@ void IInternalAlgorithmConfiguration.Validate()
     {
         var factory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
         // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-        using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
-        {
-            encryptor.PerformSelfTest();
-        }
+        using var secret = Secret.Random(512 / 8);
+        using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);
+        encryptor.PerformSelfTest();
     }
 
     // Any changes to this method should also be be reflected
diff --git a/src/DataProtection/DataProtection/src/Cng/DpapiSecretSerializerHelper.cs b/src/DataProtection/DataProtection/src/Cng/DpapiSecretSerializerHelper.cs
index ae213a62ca83..050834a1c064 100644
--- a/src/DataProtection/DataProtection/src/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/DataProtection/DataProtection/src/Cng/DpapiSecretSerializerHelper.cs
@@ -30,7 +30,8 @@ public static bool CanProtectToCurrentUserAccount()
         try
         {
             Guid dummy;
-            ProtectWithDpapi(new Secret((byte*)&dummy, sizeof(Guid)), protectToLocalMachine: false);
+            using var secret = new Secret((byte*)&dummy, sizeof(Guid));
+            ProtectWithDpapi(secret, protectToLocalMachine: false);
             return true;
         }
         catch