diff --git a/Cargo.lock b/Cargo.lock
index 2a8bd992c..179c6736a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -168,13 +168,29 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "aws-lc-fips-sys"
+version = "0.13.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2608e5a7965cc9d58c56234d346c9c89b824c4c8652b6f047b3bd0a777c0644f"
+dependencies = [
+ "bindgen 0.69.5",
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+ "regex",
+]
+
 [[package]]
 name = "aws-lc-rs"
 version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94b8ff6c09cd57b16da53641caa860168b88c172a5ee163b0288d3d6eea12786"
 dependencies = [
+ "aws-lc-fips-sys",
  "aws-lc-sys",
+ "untrusted 0.7.1",
  "zeroize",
 ]
 
@@ -473,6 +489,29 @@ version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "55248b47b0caf0546f7988906588779981c43bb1bc9d0c44087278f80cdb44ba"
 
+[[package]]
+name = "bindgen"
+version = "0.69.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088"
+dependencies = [
+ "bitflags 2.9.0",
+ "cexpr",
+ "clang-sys",
+ "itertools 0.12.1",
+ "lazy_static",
+ "lazycell",
+ "log",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash 1.1.0",
+ "shlex",
+ "syn 2.0.101",
+ "which",
+]
+
 [[package]]
 name = "bindgen"
 version = "0.71.1"
@@ -482,13 +521,13 @@ dependencies = [
  "bitflags 2.9.0",
  "cexpr",
  "clang-sys",
- "itertools",
+ "itertools 0.13.0",
  "log",
  "prettyplease",
  "proc-macro2",
  "quote",
  "regex",
- "rustc-hash",
+ "rustc-hash 2.1.1",
  "shlex",
  "syn 2.0.101",
 ]
@@ -502,13 +541,13 @@ dependencies = [
  "bitflags 2.9.0",
  "cexpr",
  "clang-sys",
- "itertools",
+ "itertools 0.13.0",
  "log",
  "prettyplease",
  "proc-macro2",
  "quote",
  "regex",
- "rustc-hash",
+ "rustc-hash 2.1.1",
  "shlex",
  "syn 2.0.101",
 ]
@@ -1738,6 +1777,15 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "itertools"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569"
+dependencies = [
+ "either",
+]
+
 [[package]]
 name = "itertools"
 version = "0.13.0"
@@ -1811,6 +1859,12 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 
+[[package]]
+name = "lazycell"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
+
 [[package]]
 name = "libc"
 version = "0.2.175"
@@ -1855,6 +1909,12 @@ version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f"
 
+[[package]]
+name = "linux-raw-sys"
+version = "0.4.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d26c52dbd32dccf2d10cac7725f8eae5296885fb5703b261f7d0a0739ec807ab"
+
 [[package]]
 name = "linux-raw-sys"
 version = "0.11.0"
@@ -2025,6 +2085,7 @@ dependencies = [
  "approx",
  "aws-config",
  "aws-credential-types",
+ "aws-lc-rs",
  "aws-sigv4",
  "backtrace",
  "base64 0.13.1",
@@ -2032,6 +2093,7 @@ dependencies = [
  "bson 2.15.0",
  "bson 3.0.0",
  "chrono",
+ "cmake",
  "cross-krb5",
  "derive-where",
  "derive_more",
@@ -2087,6 +2149,7 @@ dependencies = [
  "tokio",
  "tokio-openssl",
  "tokio-rustls",
+ "tokio-util",
  "tracing",
  "typed-builder",
  "uuid",
@@ -2435,7 +2498,7 @@ dependencies = [
  "pin-project-lite",
  "quinn-proto",
  "quinn-udp",
- "rustc-hash",
+ "rustc-hash 2.1.1",
  "rustls",
  "socket2 0.5.10",
  "thiserror 2.0.12",
@@ -2455,7 +2518,7 @@ dependencies = [
  "lru-slab",
  "rand 0.9.1",
  "ring",
- "rustc-hash",
+ "rustc-hash 2.1.1",
  "rustls",
  "rustls-pki-types",
  "slab",
@@ -2703,7 +2766,7 @@ dependencies = [
  "cfg-if",
  "getrandom 0.2.16",
  "libc",
- "untrusted",
+ "untrusted 0.9.0",
  "windows-sys 0.52.0",
 ]
 
@@ -2713,6 +2776,12 @@ version = "0.1.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "56f7d92ca342cea22a06f2121d944b4fd82af56988c270852495420f961d4ace"
 
+[[package]]
+name = "rustc-hash"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -2738,6 +2807,19 @@ dependencies = [
  "semver",
 ]
 
+[[package]]
+name = "rustix"
+version = "0.38.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fdb5bc1ae2baa591800df16c9ca78619bf65c0488b41b96ccec5d11220d8c154"
+dependencies = [
+ "bitflags 2.9.0",
+ "errno",
+ "libc",
+ "linux-raw-sys 0.4.15",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "rustix"
 version = "1.1.2"
@@ -2747,7 +2829,7 @@ dependencies = [
  "bitflags 2.9.0",
  "errno",
  "libc",
- "linux-raw-sys",
+ "linux-raw-sys 0.11.0",
  "windows-sys 0.59.0",
 ]
 
@@ -2798,7 +2880,7 @@ dependencies = [
  "aws-lc-rs",
  "ring",
  "rustls-pki-types",
- "untrusted",
+ "untrusted 0.9.0",
 ]
 
 [[package]]
@@ -3247,7 +3329,7 @@ dependencies = [
  "fastrand",
  "getrandom 0.3.2",
  "once_cell",
- "rustix",
+ "rustix 1.1.2",
  "windows-sys 0.59.0",
 ]
 
@@ -3437,6 +3519,7 @@ checksum = "14307c986784f72ef81c89db7d9e28d6ac26d16213b109ea501696195e6e3ce5"
 dependencies = [
  "bytes",
  "futures-core",
+ "futures-io",
  "futures-sink",
  "pin-project-lite",
  "tokio",
@@ -3602,6 +3685,12 @@ version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e70f2a8b45122e719eb623c01822704c4e0907e7e426a05927e1a1cfff5b75d0"
 
+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@@ -3795,6 +3884,18 @@ dependencies = [
  "rustls-pki-types",
 ]
 
+[[package]]
+name = "which"
+version = "4.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7"
+dependencies = [
+ "either",
+ "home",
+ "once_cell",
+ "rustix 0.38.44",
+]
+
 [[package]]
 name = "widestring"
 version = "1.2.0"
diff --git a/Cargo.toml b/Cargo.toml
index d72b373b2..5aaa5bbea 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -73,12 +73,14 @@ in-use-encryption-unstable = ["in-use-encryption"]
 tracing-unstable = ["dep:tracing", "dep:log", "bson3?/serde_json-1"]
 
 [dependencies]
+aws-lc-rs = { version = "1.0.0", features = ["bindgen"] }
 base64 = "0.13.0"
 bitflags = "1.1.0"
 chrono = { version = "0.4.7", default-features = false, features = [
     "clock",
     "std",
 ] }
+cmake = "0.1.0"
 derive_more = "0.99.17"
 derive-where = "1.2.7"
 flate2 = { version = "1.0", optional = true }
@@ -125,7 +127,6 @@ optional = true
 default-features = false
 features = ["default-https-client", "rt-tokio"]
 
-
 [dependencies.aws-credential-types]
 version = "1.2.4"
 optional = true
diff --git a/src/client/auth/scram.rs b/src/client/auth/scram.rs
index 8ad1b1915..3f340b218 100644
--- a/src/client/auth/scram.rs
+++ b/src/client/auth/scram.rs
@@ -6,8 +6,9 @@ use std::{
     str,
 };
 
+use aws_lc_rs;
 use hmac::{
-    digest::{Digest, FixedOutput, KeyInit},
+    digest::{Digest, KeyInit},
     Hmac,
     Mac,
 };
@@ -301,8 +302,20 @@ impl ScramVersion {
     /// The "h_i" function as defined in the SCRAM RFC.
     fn h_i(&self, str: &str, salt: &[u8], iterations: u32) -> Vec<u8> {
         match self {
-            ScramVersion::Sha1 => h_i::<Hmac<Sha1>>(str, salt, iterations, 160 / 8),
-            ScramVersion::Sha256 => h_i::<Hmac<Sha256>>(str, salt, iterations, 256 / 8),
+            ScramVersion::Sha1 => h_i_with_hmac(
+                aws_lc_rs::pbkdf2::PBKDF2_HMAC_SHA1,
+                str,
+                salt,
+                iterations,
+                160 / 8,
+            ),
+            ScramVersion::Sha256 => h_i_with_hmac(
+                aws_lc_rs::pbkdf2::PBKDF2_HMAC_SHA256,
+                str,
+                salt,
+                iterations,
+                256 / 8,
+            ),
         }
     }
 
@@ -374,14 +387,21 @@ fn hash<D: Digest>(val: &[u8]) -> Vec<u8> {
     hash.finalize().to_vec()
 }
 
-fn h_i<M: KeyInit + FixedOutput + Mac + Sync + Clone>(
+fn h_i_with_hmac(
+    algo: aws_lc_rs::pbkdf2::Algorithm,
     str: &str,
     salt: &[u8],
     iterations: u32,
     output_size: usize,
 ) -> Vec<u8> {
     let mut buf = vec![0u8; output_size];
-    pbkdf2::pbkdf2::<M>(str.as_bytes(), salt, iterations, buf.as_mut_slice());
+    aws_lc_rs::pbkdf2::derive(
+        algo,
+        std::num::NonZero::new(iterations).unwrap(),
+        salt,
+        str.as_bytes(),
+        &mut buf,
+    );
     buf
 }