Scaleway's standard kernel for Debian 8 (Jessie) has no AES-NI active.

If you try to load the module, you'll get an error message.

This is not due to a hardware limitation, the 2/4/8 core Atom systems support AES perfectly fine.

It's also not a Debian issue.

What's missing is the whole kernel module support, because Scaleway runs a modified kernel and they didn't enable the module.

 ___  ___ __ _| | _____      ____ _ _   _
/ __|/ __/ _` | |/ _ \ \ /\ / / _` | | | |
\__ \ (_| (_| | |  __/\ V  V / (_| | |_| |
|___/\___\__,_|_|\___| \_/\_/ \__,_|\__, |

Welcome on Debian Jessie (GNU/Linux 4.5.1-std-1 x86_64 )

System information as of: Sat Jul  2 13:37:34 UTC 2016

System load:	0.14		Int IP Address:	xx 
Memory usage:	3.0%		Pub IP Address:	yy
Usage on /:	4%		Swap usage:	0.0%
Local Users:	0		Processes:	181
Image build:	2016-04-06	System uptime:	4 days
Disk nbd0:	l_ssd 50G

Image source:

Last login: Fri Jul  1 12:49:05 2016 from xx
root@ref-one-master:~# find /lib | grep aes


To enable it, you just have to change the kernel you're running, like this:




Bootscript change

In your server's properties there's a hidden menu to modify the boot environment:




Change the kernel




Select and safe the 4.5.7 kernel which is recent enough to include their bugfix.




Restart your server to load the newer kernel

(kexec anyone?)

root@ref-one-master:~# reboot
Connection to ref-one-master.. closed by remote host.
Connection to ref-one-master.. closed.


After the reboot verify if the module is available

root@ref-one-master:~# find /lib/modules/4.5.7-std-2/ | grep aes
root@ref-one-master:~# lsmod | grep aes
root@ref-one-master:~# modprobe aesni-intel
root@ref-one-master:~# lsmod | grep aes
aesni_intel           157658  0 
aes_x86_64              7503  1 aesni_intel
lrw                     3477  1 aesni_intel
glue_helper             3893  1 aesni_intel
ablk_helper             2012  1 aesni_intel
cryptd                  7817  2 aesni_intel,ablk_helper

As you can see the module still wasn't loaded automatically, but I think this is default behavior of most distros.

Add it to your /etc/modules as you like - I just wanted to make sure you know how to get the module.


I've been working with various IT things for almost my whole life. It'll never stop entertaining me how people always make an "advanced settings" menu.

As a normal user you're not even really supposed to need it. Often enough it's even unsupported to modify anything in it. 

Yet, it's always this place where you need to fiddle around to get things really right.

I suggest for the future we just rename "Advanced" to "Oops" or "Sorry!"



If trouble:

I had a problem with booting because an external disk would not attach, thanks to systemd that of course turned out fatal...

Some advice:

  • there is a rescue bootscript, it'll bring up a base ubuntu accessible with your configured ssh key. you then mount your /dev/nbd0 and chroot to it.
  • set a root password if you're messing with fstab, kernels, etc. to allow you to login via the console
  • scw attach to get to the console
  • (change laws so it is legal to beat up systemd advocates until they start ssh before mounting secondary filesystems)
  • scw reboot to restart your server
  • system once started with 4.5.7 kernel and 4.5.1 modules or vise versa. in either case, the xfs kernel module was missing, and thus no filesystems could be mounted
  • system once hung when attaching nbd0 - I waited a few minutes just in case and then rebooted (hard reboot via panel), which sorted things.