diff --git a/build.sbt b/build.sbt
index 838c18e..857c4b6 100644
--- a/build.sbt
+++ b/build.sbt
@@ -25,7 +25,14 @@ lazy val `secure-config` = (project in file("."))
       Seq(
         "com.github.pureconfig" %% "pureconfig-cats-effect" % "0.17.4",
         "io.monix" %% "newtypes-core" % "0.2.3",
-        "com.dwolla" %% "fs2-aws-java-sdk2" % "3.0.0-RC2",
+        "com.disneystreaming.smithy4s" %% "smithy4s-http4s" % smithy4sVersion.value,
+        "com.disneystreaming.smithy4s" %% "smithy4s-aws-http4s" % smithy4sVersion.value,
+        "org.typelevel" %% "mouse" % "1.2.1",
       )
     },
+    smithy4sAwsSpecs ++= Seq(AWS.kms),
+    scalacOptions += "-Wconf:src=src_managed/.*:s",
+  )
+  .enablePlugins(
+    Smithy4sCodegenPlugin,
   )
diff --git a/project/plugins.sbt b/project/plugins.sbt
index 19b0429..00ef1b3 100644
--- a/project/plugins.sbt
+++ b/project/plugins.sbt
@@ -1,3 +1,4 @@
 addSbtPlugin("org.typelevel" % "sbt-typelevel-ci-release" % "0.5.3")
 addSbtPlugin("org.typelevel" % "sbt-typelevel-settings" % "0.5.3")
 addSbtPlugin("org.typelevel" % "sbt-typelevel-mergify" % "0.5.3")
+addSbtPlugin("com.disneystreaming.smithy4s" % "smithy4s-sbt-codegen" % "0.18.3")
diff --git a/src/main/scala/com/dwolla/config/package.scala b/src/main/scala/com/dwolla/config/package.scala
index 9fca398..96b77e2 100644
--- a/src/main/scala/com/dwolla/config/package.scala
+++ b/src/main/scala/com/dwolla/config/package.scala
@@ -2,19 +2,25 @@ package com.dwolla
 
 import cats.*
 import cats.syntax.all.*
-import com.dwolla.fs2aws.kms.*
+import com.amazonaws.kms.{CiphertextType, KMS}
 import monix.newtypes.NewtypeWrapped
+import mouse.all.*
 import pureconfig.ConfigReader
+import smithy4s.Blob
 
 package object config {
   private[this] val secureStringRegex = "^SECURE: (.+)".r
 
-  def SecureReader[F[_] : Monad](decryptionClient: KmsAlg[F]): ConfigReader[F[SecurableString]] =
+  def SecureReader[F[_] : MonadThrow](kms: KMS[F]): ConfigReader[F[SecurableString]] =
     ConfigReader[String].map {
       case secureStringRegex(cryptotext) =>
-        for {
-          bytes <- decryptionClient.decrypt(cryptotext)
-        } yield SecurableString(bytes)
+        kms.decrypt(CiphertextType(Blob(cryptotext.getBytes())))
+          .map(_.plaintext) // TODO does this need to be base64-decoded?
+          .liftOptionT
+          .getOrRaise(new RuntimeException("boom")) // TODO convert to a better exception
+          .map(_.value.toUTF8String)
+          .map(SecurableString(_))
+
       case s => SecurableString(s).pure[F]
     }