diff --git a/include/libssh/pki_priv.h b/include/libssh/pki_priv.h
index e0cf6ed7..c0edb851 100644
--- a/include/libssh/pki_priv.h
+++ b/include/libssh/pki_priv.h
@@ -49,6 +49,8 @@ enum ssh_key_e {
   SSH_KEY_PRIVATE
 };
 
+void pki_key_clean(ssh_key key);
+
 int pki_key_ecdsa_nid_from_name(const char *name);
 const char *pki_key_ecdsa_nid_to_name(int nid);
 const char *ssh_key_signature_to_char(enum ssh_keytypes_e type,
diff --git a/src/pki.c b/src/pki.c
index d4fea5b3..9358f198 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -154,37 +154,9 @@ void ssh_key_clean (ssh_key key)
 {
     if (key == NULL)
         return;
-#ifdef HAVE_LIBGCRYPT
-    if(key->dsa) gcry_sexp_release(key->dsa);
-    if(key->rsa) gcry_sexp_release(key->rsa);
-    if(key->ecdsa) gcry_sexp_release(key->ecdsa);
-#elif defined HAVE_LIBCRYPTO
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    if(key->dsa) DSA_free(key->dsa);
-    if(key->rsa) RSA_free(key->rsa);
-#else
-    if(key->key) EVP_PKEY_free(key->key);
-#endif /* OPENSSL_VERSION_NUMBER */
-#ifdef HAVE_OPENSSL_ECC
-/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
- * https://github.com/openssl/openssl/pull/16624
- * Move whole HAVE_OPENSSL_EC into #if < 0x3 above
- */
-#if 1
-    if(key->ecdsa) EC_KEY_free(key->ecdsa);
-#endif
-#endif /* HAVE_OPENSSL_ECC */
-#elif defined HAVE_LIBMBEDCRYPTO
-    if (key->rsa != NULL) {
-        mbedtls_pk_free(key->rsa);
-        SAFE_FREE(key->rsa);
-    }
 
-    if (key->ecdsa != NULL) {
-        mbedtls_ecdsa_free(key->ecdsa);
-        SAFE_FREE(key->ecdsa);
-    }
-#endif
+    pki_key_clean(key);
+
     if (key->ed25519_privkey != NULL){
 #ifdef HAVE_OPENSSL_ED25519
         /* In OpenSSL implementation the private key is only the private
@@ -208,21 +180,10 @@ void ssh_key_clean (ssh_key key)
         ssh_string_free(key->sk_application);
     }
     key->cert_type = SSH_KEYTYPE_UNKNOWN;
-    key->flags=SSH_KEY_FLAG_EMPTY;
-    key->type=SSH_KEYTYPE_UNKNOWN;
+    key->flags = SSH_KEY_FLAG_EMPTY;
+    key->type = SSH_KEYTYPE_UNKNOWN;
     key->ecdsa_nid = 0;
-    key->type_c=NULL;
-#if !defined(HAVE_LIBCRYPTO) || OPENSSL_VERSION_NUMBER < 0x30000000L
-    key->dsa = NULL;
-    key->rsa = NULL;
-#else
-    key->key = NULL;
-#endif /* OPENSSL_VERSION_NUMBER */
-/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
- * https://github.com/openssl/openssl/pull/16624
- * Move into #if OPENSSL_VERSION_NUMBER < 0x3 above
- */
-    key->ecdsa = NULL;
+    key->type_c = NULL;
 }
 
 /**
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 621caeef..a5a6a186 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -87,6 +87,30 @@ static int pem_get_password(char *buf, int size, int rwflag, void *userdata) {
     return 0;
 }
 
+void pki_key_clean(ssh_key key)
+{
+    if (key == NULL)
+        return;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    DSA_free(key->dsa);
+    key->dsa = NULL;
+    RSA_free(key->rsa);
+    key->rsa = NULL;
+#endif /* OPENSSL_VERSION_NUMBER */
+#ifdef HAVE_OPENSSL_ECC
+/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
+ * https://github.com/openssl/openssl/pull/16624
+ * Move whole HAVE_OPENSSL_ECC into #if < 0x3 above
+ */
+#if 1
+    EC_KEY_free(key->ecdsa);
+    key->ecdsa = NULL;
+#endif
+#endif /* HAVE_OPENSSL_ECC */
+    EVP_PKEY_free(key->key);
+    key->key = NULL;
+}
+
 #ifdef HAVE_OPENSSL_ECC
 /* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
  * https://github.com/openssl/openssl/pull/16624
diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 44a3cc2a..b619b1a3 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -283,6 +283,23 @@ static int passphrase_to_key(char *data, unsigned int datalen,
   return 0;
 }
 
+void pki_key_clean(ssh_key key)
+{
+    if (key == NULL)
+        return;
+
+    if (key->dsa)
+        gcry_sexp_release(key->dsa);
+    if (key->rsa)
+        gcry_sexp_release(key->rsa);
+    if (key->ecdsa)
+        gcry_sexp_release(key->ecdsa);
+
+    key->dsa = NULL;
+    key->rsa = NULL;
+    key->ecdsa = NULL;
+}
+
 static int privatekey_decrypt(int algo, int mode, unsigned int key_len,
                        unsigned char *iv, unsigned int iv_len,
                        ssh_buffer data, ssh_auth_callback cb,
diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
index 1427ded9..4439b3cd 100644
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -38,6 +38,22 @@
 #define MAX_PASSPHRASE_SIZE 1024
 #define MAX_KEY_SIZE 32
 
+void pki_key_clean(ssh_key key)
+{
+    if (key == NULL)
+        return;
+
+    if (key->rsa != NULL) {
+        mbedtls_pk_free(key->rsa);
+        SAFE_FREE(key->rsa);
+    }
+
+    if (key->ecdsa != NULL) {
+        mbedtls_ecdsa_free(key->ecdsa);
+        SAFE_FREE(key->ecdsa);
+    }
+}
+
 ssh_string pki_private_key_to_pem(const ssh_key key, const char *passphrase,
         ssh_auth_callback auth_fn, void *auth_data)
 {