This is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.

If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.

They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.

It's like LibreOffice all over again: https://www.neowin.net/news/microsoft-bans-libreoffice-devel...

First I was surprised to read the Veracrypt maintainers could be in this situation, then read the top comment where Wireguard maintainers are too (unless I misunderstood). Is this some malicious new program inside Microsoft to try and shutdown open source projects so they can push Windows products and solutions more?

Update from a VP at Microsoft: https://x.com/shanselman/status/2041977121686585396?s=46

Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?

Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.

Linux is the only hope at this point for the future of computing.

Windows and macOS are just too risky to do any business with. Waste of all resources.

prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".

If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.

Atleast now I'm a bit more certain that VC is indeed safe.

Microsoft disabled the developer's certificate so no windows releases can be made.

I am somewhat also concerned that this software was still being distributed on SourceForge.

What sucks about this, is due to implementation,Windows is the only way to achieve some stuff in Veracrypt. For example: doing full system partition encryption, and the Hidden OS install that only Veracrypt can do- requires Windows with the computer set to MBR rather than UEFU. I had hoped we'd see more of the plausible deniability tech at the OS level

But aside from one or two experimental attempts, also presented at BlackHat https://web.archive.org/web/20250914062843/https://portswigg...

- the consumer has nearly lost access to high end plausible deniability

We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.

Looks like Linux and some of the BSDs are the only remaining truly open OSes.

Sorry to hear about this turn of events, but it was pretty much to be expected given the way the world is turning, and Microsoft being Microsoft.

Switch to Linux if you can, and come give Shufflecake a try ;)

https://shufflecake.net/

https://community.osr.com/t/locked-out-of-microsoft-partner-... Could be a related issue to this? Maybe Microsoft just doesn’t want driver developers for whatever reason.

Microsoft doing everything in their power to be assholes, as always

Get off Windows right now.

The newest frontier AI models can easily find 0-days in all major software stacks, while the two biggest open source security tools on Windows can’t even ship patches.

That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes. So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.

Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.

This is always a problem when big mega-corporations are involved, be it Google or Microsoft. They want to control the platform.

We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).

I would not be surprised if it was some sort of AI driven mistake.

Some guy somewhere deciding to delegate threat assessment to Copilot or some other automated tool.

Besides Veracrypt, are there any real alternatives to Bitlocker for total drive encryption in Windows?

Can someone please explain the implications for current Windows users of VeraCrypt?

looks like the latest update was

> Mounir IDRASSI - 7 hours ago > Thank you all for your feedback and your support in getting media attention through various social platforms.

>After posting this, other developers in the security fields (like WireGuard) came forward to announce that they have the exact same issue. I understand why nobody talked publicly about this before and I'm glad that by going public I pushed others to do the same.

>Positive aspect is that a Microsoft VP (Scott Hanselman) has announced on X that he will help address this issue affecting me and others. He also reached out to me and connected me with other Microsoft people to help address this issue.

>I will let you know how things go.

I run a dual boot of windows and am currently dauly-driving CachyOS quite happily. I've been playing some Crimson desert and got some occasional crashes... But any other game I have has run smoothly.

Their GUI tools for package management are thin wrappers on CLI tools, but are enough hand-holding that most people should navigate it fine. More devices worked out of the box for my with Linux than Windows.

Just like if you haven't tried AI in a year and have mocked it, you need to try it again. Of you haven't tried Linux desktop in a few years, you need to try again. CachyOS really does seem to handle the driver installs and gaming compatibility well.

Anyone here who could reach out to specific persons inside Microsoft who could fix this?

If bitlocker wasn't crippled[1] on the home versions of Windows, this would be a non-issue. I hope a solution is found, even if it's 3rd party signing that works like the present solution.

[1] https://www.microsoft.com/en-us/windows/compare-windows-11-h...

Why is there no simple workaround for this? Why is it dead in the water and why can't we use another mechanism to verify the update files with SHA1? It's all been done before [1]. This would be an improvement, as it enables the project to continue working without any handcuffed relationship to Microsoft.

[1] https://github.com/HyperSine/Windows10-CustomKernelSigners

VLayer (my project) scans healthcare codebases for HIPAA compliance issues before they reach production. One thing I learned building it: developers rarely think about encryption until it's too late. Tools like VeraCrypt solve the "data at rest" problem, but the bigger issue in healthcare software is unencrypted data in logs and API responses — stuff that's much harder to audit manually.

Hope this is resolved. I guess I could run linux in a VM and mount volumes there, but this is getting a bit dicey. But Win 10 is my last windows anyway.

Interesting.

My only experience with Veracrypt is via a law firm I was consulting with, who used it to protect some files they were sharing with me. Law firm and their end client are both big, prestigious companies.

Gone are the days when one can be anonymous on the Internet. Now, in some places, we have to prove our age and identity. This is leading to a digital ID. This will end badly.

Microsoft can't be trusted.

Never was, isn't and I guess won't be.

Microsoft continues to push for year of the Linux desktop

Update from Scott Hanselman:

> Hey I love dumping on my company as much as the next guy, because Microsoft does some dumb stuff, but sometimes it's just check emails and verify your accounts.

Not every "WTF micro$oft" moment is a slam dunk. I've emailed VeraCrypt personally and we'll get him unblocked. I've already talked to Jason at WireGuard.

Not everything is a conspiracy, sometimes it's literally paperwork.

(https://x.com/shanselman/status/2041977121686585396 https://xcancel.com/shanselman/status/2041977121686585396)

What about the guy who originally created it. Paul Le Roux, the criminal mastermind? That's a wild story :D.

Reminds me of when users of TrueCrypt were urged to just install BitLocker instead. Sus AF.

Any chance this is the issue?

https://techcommunity.microsoft.com/blog/windows-itpro-blog/...

very much sounds like microsoft

It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.

For folks looking for a much simpler single binary alternative.

https://github.com/srv1n/kurpod

Forced software signing should be illegal.

if michalesoft wants to take away our ability to sign drivers, they will find there is more than enough vulnerable easily exploited drivers we can use that are pre-signed online. Thank you micosawft!

I'm sorry, is this some sort of Windows joke that I'm too Linux to understand?

If only there was a way to sign software and not depend on a centralized authority, something like a... web of trust?

(and yes I know, you'd need to have the option to have "your" (haha...) OS trust it of course)

And yet another example of companies turning actively hostile against their users.

The burden of usage/access is now solely on the customers and the feeling is that regular customers are just a nuisance to be ignored.

[dead]

[dead]

Posted this earlier from a throwaway since my account wasn't able to reply for some odd reason and it was marked as dead:

Hello Jason!

I want to first thank you for all of your hard work developing Wireguard.

If I can find someone who is willing to put their name on it to help I definitely will, the problem is the spy agencies don't want your project to exist. It makes it harder to put resources to this. I've worked in security departments of certain companies and saw everything you could imagine.

Same for Mounir over at Veracrypt.

Both of you are developing some of the most important software that exists today.

Keep doing what you are doing by keeping everything in the open. User trust almost doesn't exist for these type of projects. Any hint of an issue would wipe that out in seconds.

This leads me to one question I do have for you zx2c4:

Why does Wireguard attempt to contact your servers and auto update on Android with no toggle to turn this off? It's a threat to everyone. Maybe it also does this on other platforms but I haven't tested them all.

I can think of reasons as to why you did this, none nefarious, but still it would be nice if you included that option so I don't have to patch each update to turn this off.

Thanks.

cool project

Jesus, sourceforge is still on the go?

This highlights the fact that not only is supporting Windows dangerous to your project, but using Windows is dangerous to your security.

maybe an old vulnerable signed driver can be used to load the new version :D. on a more seirous note, i think contact with a person at MS, likely via socials triggering that, might help here. It all depends on the reason for the ban/block/cancel.

if they had a reason other than 'oops mistake' its likely just going to remain in place. (sadly, that is how MS is. if you care for privacy maybe go to BSD)

If you use Veracrypt on Windows then you have no idea what you are doing. Windows is not safe. Use Linux only.