#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal.
-
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatchIf you use #VeraCrypt full-disk encryption on #Windows, then READ THE ABOVE ARTICLE and pay attention to this developing story. If it hasn't been resolved in the next month or so then you are going to want to disable VeraCrypt on your computer to avoid being permanently locked out of your own computer when the VeraCrypt bootloader signing certificates expire and the maintainer isn't able to renew them.
#PSA -
R relay@relay.infosec.exchange shared this topicR relay@relay.mycrowd.ca shared this topic
-
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch@jik @zackwhittaker
Weeeelll, that's a bit too much panic!
Yes, the machines might not boot anymore, but the data is still there.
It can still be read on a normal Linux Live-ISO just fine. -
@jik @zackwhittaker
Weeeelll, that's a bit too much panic!
Yes, the machines might not boot anymore, but the data is still there.
It can still be read on a normal Linux Live-ISO just fine.@manawyrm @jik @zackwhittaker wait, so if the certificate expires *existing signed binaries* will no longer run? Does this mean any signed bootloader has an inherent shelf life and will need to be re-signed every so many years even if no changes are being made to it?
-
@manawyrm @jik @zackwhittaker wait, so if the certificate expires *existing signed binaries* will no longer run? Does this mean any signed bootloader has an inherent shelf life and will need to be re-signed every so many years even if no changes are being made to it?
@manawyrm @jik @zackwhittaker or is it that the cert will be explicitly revoked rather than expired? the article is a bit unclear on this
-
@manawyrm @jik @zackwhittaker wait, so if the certificate expires *existing signed binaries* will no longer run? Does this mean any signed bootloader has an inherent shelf life and will need to be re-signed every so many years even if no changes are being made to it?
@azonenberg @manawyrm @jik @zackwhittaker afaik no. the expiry usually isn't enforced.
-
@azonenberg @manawyrm @jik @zackwhittaker afaik no. the expiry usually isn't enforced.
@gsuberland @manawyrm @jik @zackwhittaker Usually the way cert expiration for signing works is signatures are timestamped by a third party and any signature *made* post expiry is not trusted, but old ones are valid in perpetuity as long as the cert had been valid when the signature was created
-
@azonenberg @manawyrm @jik @zackwhittaker afaik no. the expiry usually isn't enforced.
@gsuberland @azonenberg @jik @zackwhittaker that's what I would've expected as well, but I'm not 100% sure about how Windows driver signing works.
Either way, the data is perfectly fine
-
@gsuberland @manawyrm @jik @zackwhittaker Usually the way cert expiration for signing works is signatures are timestamped by a third party and any signature *made* post expiry is not trusted, but old ones are valid in perpetuity as long as the cert had been valid when the signature was created
@azonenberg @manawyrm @jik @zackwhittaker yes, precisely
-
@azonenberg @manawyrm @jik @zackwhittaker afaik no. the expiry usually isn't enforced.
@gsuberland @azonenberg @manawyrm @jik @zackwhittaker certificate expiry won't be enforced, however if outright revocation of binaries happen, that will be -
@gsuberland @azonenberg @manawyrm @jik @zackwhittaker certificate expiry won't be enforced, however if outright revocation of binaries happen, that will be
-
@gsuberland @azonenberg @jik @zackwhittaker that's what I would've expected as well, but I'm not 100% sure about how Windows driver signing works.
Either way, the data is perfectly fine
@manawyrm @azonenberg @jik @zackwhittaker fairly sure driver signatures don't have an expiry at all; it's only the CA that has an expiry and an expired CA doesn't invalidate an existing valid signature, as long as that signature's date was within the valid time range of the CA.
-
@Rairii @manawyrm @jik @azonenberg @zackwhittaker yup exactly the way I thought it worked
-
@manawyrm @azonenberg @jik @zackwhittaker fairly sure driver signatures don't have an expiry at all; it's only the CA that has an expiry and an expired CA doesn't invalidate an existing valid signature, as long as that signature's date was within the valid time range of the CA.
@manawyrm @azonenberg @jik @zackwhittaker (yes just checked and this is exactly how it works)
-
@gsuberland @azonenberg @jik @zackwhittaker that's what I would've expected as well, but I'm not 100% sure about how Windows driver signing works.
Either way, the data is perfectly fine
@manawyrm @gsuberland @azonenberg @jik @zackwhittaker
The data may be fine; however, not everyone who may use VeraCrypt has the same knowledge and skill base to know to pull up a Linux Live USB and go get their data back. I've encouraged non-technical users to use easy breakthroughs to add encryption to their Windows Home environments. They definitely will not have the knowledge do just go do this. Many may not have another device to create the Linux Live USB either.
This is still a problem, whether or not the data is still available through other means. -
@manawyrm @gsuberland @azonenberg @jik @zackwhittaker
The data may be fine; however, not everyone who may use VeraCrypt has the same knowledge and skill base to know to pull up a Linux Live USB and go get their data back. I've encouraged non-technical users to use easy breakthroughs to add encryption to their Windows Home environments. They definitely will not have the knowledge do just go do this. Many may not have another device to create the Linux Live USB either.
This is still a problem, whether or not the data is still available through other means.@jeffcodes @gsuberland @azonenberg @jik @zackwhittaker I'm very sorry, but users that aren't capable of getting help with recovering such data from someone that can handle a Linux Live ISO shouldn't be using VeraCrypt to begin with.
It's extremely likely to just cause your system to stop booting (and that has happened to me 5+ times in the years I was using it) -- it's just a regular occurance and you'll need to deal with these things as a user. -
@azonenberg @gsuberland @jik @manawyrm @zackwhittaker that said. i wonder if this is MS attempting to do some form of moderation on driver / EFI signers, given the instances of game cheat devs and outright malware actors signing drivers in the past (do i need to cite that unknowncheats thread again?)
that said, I quickly browsed around unknowncheats and didn't see anyone complaining about this, so... -
@jeffcodes @gsuberland @azonenberg @jik @zackwhittaker I'm very sorry, but users that aren't capable of getting help with recovering such data from someone that can handle a Linux Live ISO shouldn't be using VeraCrypt to begin with.
It's extremely likely to just cause your system to stop booting (and that has happened to me 5+ times in the years I was using it) -- it's just a regular occurance and you'll need to deal with these things as a user.@manawyrm @gsuberland @azonenberg @jik @zackwhittaker
IMO, it is not acceptable to simply overlook these hurdles and say, "this is not available to you because you're not technical like me." These tools are necessary against the mass surveillance of the companies like Microsoft, Google, etc. and governments alike.
We, as technologist, should be working to make these more accessible to those who are not technologists too. Those folks deserve the right and privacy and security like the rest of us. -
@manawyrm @gsuberland @azonenberg @jik @zackwhittaker
IMO, it is not acceptable to simply overlook these hurdles and say, "this is not available to you because you're not technical like me." These tools are necessary against the mass surveillance of the companies like Microsoft, Google, etc. and governments alike.
We, as technologist, should be working to make these more accessible to those who are not technologists too. Those folks deserve the right and privacy and security like the rest of us.@jeffcodes @gsuberland @azonenberg @jik @zackwhittaker You're absolutely right and will get no argument from me there. I have always supported people encrypting their drives and will give support to people trying to do that.
Still, VeraCrypt is just a very fragile piece of kit and users need to know that and be able to either fix it themselves or know someone who can do it.
Telling just random people on the streets to install it will indeed just block access to their data -- even without MS.
-
R relay@relay.publicsquare.global shared this topic
-
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch@jik @zackwhittaker
> If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
uhmmm this seems like a pretty big design flaw. Imagine if on FreeBSD or Linux that your GELI / LUKS encryption stops working because some developer's computer was inaccessible.... -
@jeffcodes @gsuberland @azonenberg @jik @zackwhittaker You're absolutely right and will get no argument from me there. I have always supported people encrypting their drives and will give support to people trying to do that.
Still, VeraCrypt is just a very fragile piece of kit and users need to know that and be able to either fix it themselves or know someone who can do it.
Telling just random people on the streets to install it will indeed just block access to their data -- even without MS.
@manawyrm @gsuberland @azonenberg @jik @zackwhittaker
Fair enough. I don't encourage just anyone either. Those who I have encouraged also know to call me if something blows up!
