diff --git a/authority/authority.go b/authority/authority.go
index 72e21767..f2118eac 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -140,7 +140,7 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 		}
 	}
 	if a.keyManager != nil {
-		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
+		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
 	}
 
 	if !a.skipInit {
@@ -169,7 +169,7 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 		}
 	}
 	if a.keyManager != nil {
-		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
+		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
 	}
 
 	// Validate required options
@@ -350,7 +350,7 @@ func (a *Authority) init() error {
 			return err
 		}
 
-		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
+		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
 	}
 
 	// Initialize linkedca client if necessary. On a linked RA, the issuer
diff --git a/authority/meter.go b/authority/meter.go
index cccda22a..c99069a4 100644
--- a/authority/meter.go
+++ b/authority/meter.go
@@ -66,6 +66,22 @@ type instrumentedKeyManager struct {
 	meter Meter
 }
 
+type instrumentedKeyAndDecrypterManager struct {
+	kms.KeyManager
+	decrypter kmsapi.Decrypter
+	meter     Meter
+}
+
+func newInstrumentedKeyManager(k kms.KeyManager, m Meter) kms.KeyManager {
+	decrypter, isDecrypter := k.(kmsapi.Decrypter)
+	switch {
+	case isDecrypter:
+		return &instrumentedKeyAndDecrypterManager{&instrumentedKeyManager{k, m}, decrypter, m}
+	default:
+		return &instrumentedKeyManager{k, m}
+	}
+}
+
 func (i *instrumentedKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (s crypto.Signer, err error) {
 	if s, err = i.KeyManager.CreateSigner(req); err == nil {
 		s = &instrumentedKMSSigner{s, i.meter}
@@ -74,6 +90,10 @@ func (i *instrumentedKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (
 	return
 }
 
+func (i *instrumentedKeyAndDecrypterManager) CreateDecrypter(req *kmsapi.CreateDecrypterRequest) (s crypto.Decrypter, err error) {
+	return i.decrypter.CreateDecrypter(req)
+}
+
 type instrumentedKMSSigner struct {
 	crypto.Signer
 	meter Meter
@@ -85,3 +105,7 @@ func (i *instrumentedKMSSigner) Sign(rand io.Reader, digest []byte, opts crypto.
 
 	return
 }
+
+var _ kms.KeyManager = (*instrumentedKeyManager)(nil)
+var _ kms.KeyManager = (*instrumentedKeyAndDecrypterManager)(nil)
+var _ kmsapi.Decrypter = (*instrumentedKeyAndDecrypterManager)(nil)