diff --git a/morph/lib/issuer-aws.nix b/morph/lib/issuer-aws.nix
index 065e37be07f0b10c22c3608f11f11136fbab11d1..09b43de28e010085a4e05192a2d6b30429eda51f 100644
--- a/morph/lib/issuer-aws.nix
+++ b/morph/lib/issuer-aws.nix
@@ -13,6 +13,11 @@
     randomEncryption = true;
   } ];
 
+  # If we don't autoload the loop module, crypt-swap setup fails with the
+  # not very helpful message: "loop device with autoclear flag is required"
+  # See https://unix.stackexchange.com/a/554500/81275
+  boot.kernelModules = [ "loop" ];
+
   # Break the tie between AWS and morph for the hostname by forcing the
   # morph-supplied name.  See also
   # <https://github.com/DBCDK/morph/issues/146>.