Jonathan Kamens 86 474d ago
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost. 🤦
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch
Developer of VeraCrypt encryption software says Windows users may face boot-up issues after Microsoft locked his account | TechCrunch

The maker of the popular open-source file encryption software VeraCrypt said Microsoft locked his online account, which may prevent device owners from booting up their computers.

TechCrunch
Show threadManawyrm | Sarah4d ago
@jik @zackwhittaker
Weeeelll, that's a bit too much panic!
Yes, the machines might not boot anymore, but the data is still there.
It can still be read on a normal Linux Live-ISO just fine.
Show threadAndrew Zonenberg4d ago
@manawyrm @jik @zackwhittaker wait, so if the certificate expires *existing signed binaries* will no longer run? Does this mean any signed bootloader has an inherent shelf life and will need to be re-signed every so many years even if no changes are being made to it?
Show threadGraham Sutherland / Polynomial4d ago
@azonenberg @manawyrm @jik @zackwhittaker afaik no. the expiry usually isn't enforced.
Show threadManawyrm | Sarah4d ago

@gsuberland @azonenberg @jik @zackwhittaker that's what I would've expected as well, but I'm not 100% sure about how Windows driver signing works.

Either way, the data is perfectly fine :)

Show threadGraham Sutherland / Polynomial4d ago
@manawyrm @azonenberg @jik @zackwhittaker fairly sure driver signatures don't have an expiry at all; it's only the CA that has an expiry and an expired CA doesn't invalidate an existing valid signature, as long as that signature's date was within the valid time range of the CA.
Show threadgkrnours

@gsuberland @manawyrm @azonenberg @jik @zackwhittaker in an ideal world, the boot payload is checked by a secure enclave of your motherboard and if it doesn't look legit, it's refused, device doesn't boot and the secure enclave doesn't provide it's part of the decryption, meaning the data stay locked.

Also, all data on disk would be backed up somewhere safe so it would be simply a matter of wiping the device clean and reinstalling.

Apr 8 at 9:26pmWeb