diff --git a/cng/aes.go b/cng/aes.go
index caac632..097a0fc 100644
--- a/cng/aes.go
+++ b/cng/aes.go
@@ -7,6 +7,7 @@
 package cng
 
 import (
+	"bytes"
 	"crypto/cipher"
 	"errors"
 	"runtime"
@@ -28,8 +29,7 @@ func NewAESCipher(key []byte) (cipher.Block, error) {
 	if err != nil {
 		return nil, err
 	}
-	c := &aesCipher{kh: kh, key: make([]byte, len(key))}
-	copy(c.key, key)
+	c := &aesCipher{kh: kh, key: bytes.Clone(key)}
 	runtime.SetFinalizer(c, (*aesCipher).finalize)
 	return c, nil
 }
diff --git a/cng/des.go b/cng/des.go
index b0784af..de3f05b 100644
--- a/cng/des.go
+++ b/cng/des.go
@@ -7,6 +7,7 @@
 package cng
 
 import (
+	"bytes"
 	"crypto/cipher"
 	"runtime"
 
@@ -27,8 +28,7 @@ func NewDESCipher(key []byte) (cipher.Block, error) {
 	if err != nil {
 		return nil, err
 	}
-	c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: make([]byte, len(key))}
-	copy(c.key, key)
+	c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: bytes.Clone(key)}
 	runtime.SetFinalizer(c, (*desCipher).finalize)
 	return c, nil
 }
@@ -38,8 +38,7 @@ func NewTripleDESCipher(key []byte) (cipher.Block, error) {
 	if err != nil {
 		return nil, err
 	}
-	c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: make([]byte, len(key))}
-	copy(c.key, key)
+	c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: bytes.Clone(key)}
 	runtime.SetFinalizer(c, (*desCipher).finalize)
 	return c, nil
 }
diff --git a/cng/hash.go b/cng/hash.go
index c4f01e1..87b1c95 100644
--- a/cng/hash.go
+++ b/cng/hash.go
@@ -7,6 +7,7 @@
 package cng
 
 import (
+	"bytes"
 	"crypto"
 	"hash"
 	"runtime"
@@ -194,12 +195,7 @@ func newHashX(id string, flag bcrypt.AlgorithmProviderFlags, key []byte) *hashX
 	if err != nil {
 		panic(err)
 	}
-	h := new(hashX)
-	h.alg = alg
-	if len(key) > 0 {
-		h.key = make([]byte, len(key))
-		copy(h.key, key)
-	}
+	h := &hashX{alg: alg, key: bytes.Clone(key)}
 	// Don't allocate hx.buf nor call bcrypt.CreateHash yet,
 	// which would be wasteful if the caller only wants to know
 	// the hash type. This is a common pattern in this package,
@@ -227,13 +223,7 @@ func (h *hashX) withCtx(fn func(ctx bcrypt.HASH_HANDLE) error) error {
 }
 
 func (h *hashX) Clone() (hash.Hash, error) {
-	h2 := &hashX{
-		alg: h.alg,
-	}
-	if h.key != nil {
-		h2.key = make([]byte, len(h.key))
-		copy(h2.key, h.key)
-	}
+	h2 := &hashX{alg: h.alg, key: bytes.Clone(h.key)}
 	err := h.withCtx(func(ctx bcrypt.HASH_HANDLE) error {
 		return bcrypt.DuplicateHash(ctx, &h2._ctx, nil, 0)
 	})