diff --git a/internal/cli/init.go b/internal/cli/init.go
index 4b237c8..1167f7c 100644
--- a/internal/cli/init.go
+++ b/internal/cli/init.go
@@ -205,20 +205,26 @@ func readSecurePassphrase(prompt string) (*memguard.LockedBuffer, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer passphraseBuffer1.Destroy()
 
 	// Read confirmation passphrase
 	passphraseBuffer2, err := secret.ReadPassphrase("Confirm passphrase: ")
 	if err != nil {
+		passphraseBuffer1.Destroy()
+
 		return nil, fmt.Errorf("failed to read passphrase confirmation: %w", err)
 	}
-	defer passphraseBuffer2.Destroy()
 
 	// Compare passphrases
 	if passphraseBuffer1.String() != passphraseBuffer2.String() {
+		passphraseBuffer1.Destroy()
+		passphraseBuffer2.Destroy()
+
 		return nil, fmt.Errorf("passphrases do not match")
 	}
 
-	// Create a new buffer with the confirmed passphrase
-	return memguard.NewBufferFromBytes(passphraseBuffer1.Bytes()), nil
+	// Clean up the second buffer, we'll return the first
+	passphraseBuffer2.Destroy()
+
+	// Return the first buffer (caller is responsible for destroying it)
+	return passphraseBuffer1, nil
 }