Microsoft Just Locked the VeraCrypt Developer Out of His Own Signing Account and Your Encrypted Windows PC Has a Deadline

I got a message from a friend at 7 AM on a Tuesday. "Hey, have you seen the VeraCrypt thing?" I had not. Ten minutes later I was staring at a SourceForge thread from Mounir Idrassi, the sole maintainer of VeraCrypt, explaining that Microsoft had terminated his code-signing account without warning, without explanation, and without any way to appeal. My stomach dropped because I have three machines running VeraCrypt system encryption right now.

What Happened to the VeraCrypt Developer Account

On March 30, 2026, Idrassi posted that Microsoft "terminated the account I have used for years to sign Windows drivers and the bootloader." No email beforehand. No policy violation cited. Just locked out. The Japan-based developer said he tried to contact Microsoft and could not reach a human being. Let that sink in for a second — the person responsible for encrypting potentially millions of Windows machines worldwide cannot get a human at Microsoft to pick up the phone.

The immediate fallout: Idrassi can still push updates to Linux and macOS users just fine. But Windows users — who make up the vast majority of the VeraCrypt user base — are frozen. No new updates. No security patches. Nothing.

The VeraCrypt Boot Crisis Coming in July 2026

Here is the part that actually scares me. The VeraCrypt bootloader (DcsBoot.efi) is signed through the Microsoft Corporation UEFI CA 2011 certificate chain. Microsoft is revoking that chain on June 27, 2026. After that date, Secure Boot will refuse to load the VeraCrypt bootloader, and your encrypted Windows install simply will not start.

My colleague Sandra ran some quick numbers. She estimated somewhere between 5 and 10 million devices globally have VeraCrypt system encryption active. That is a lot of bricks waiting to happen.

"I literally called my boss at 11 PM when I saw the timeline," Sandra told me. "We have 340 company laptops running VeraCrypt. Every single one needs a migration plan before summer."

Your Three Options Right Now

I spent the last 48 hours testing all of these on actual hardware. Here is what works:

Option 1: Decrypt and Switch to BitLocker (Windows Pro/Enterprise)

If you are running Windows Pro or Enterprise, BitLocker is your fastest exit. The process takes 2-6 hours depending on drive size:

1. Open VeraCrypt, go to System, then Permanently Decrypt System Partition
2. Wait for full decryption (do NOT interrupt this or shut down your machine)
3. Once done, enable BitLocker via Control Panel, System and Security, BitLocker Drive Encryption
4. Save your recovery key somewhere safe — I keep mine in my password manager alongside my passkeys

Option 2: Disable Secure Boot Temporarily

You can disable Secure Boot in your BIOS/UEFI settings. This lets the VeraCrypt bootloader load regardless of certificate status. But — and this is a big but — disabling Secure Boot means any unsigned code can run at boot time. That includes rootkits and bootkits. I would only do this as a temporary bridge while you plan a proper migration. Days, not months.

Option 3: Wait for a Resolution

Idrassi is actively trying to resolve the situation with Microsoft. There is a chance that the account gets reinstated, a new certificate gets issued, and everything works out. I am not banking on this personally. Hope is not a security strategy, and June 27 is closer than you think.

Why This VeraCrypt Incident Matters Beyond One Tool

This incident exposes something ugly about how much open-source security tools depend on proprietary gatekeepers. VeraCrypt is free, open-source, and has been audited by QuarksLab and Germany BSI (Fraunhofer Institute). It has passed every security audit thrown at it. None of that matters when one company can pull the rug on your signing certificate with no explanation.

Remember when I wrote about Cloudflare moving up its post-quantum deadline? Same theme. Encryption infrastructure is fragile in ways most people never think about until it breaks underneath them.

Derek, a friend who runs IT for a healthcare nonprofit, put it bluntly: "We picked VeraCrypt specifically to avoid vendor lock-in. Turns out we just traded one kind of lock-in for another."

What I Am Doing With My Own Machines

Full transparency: I am decrypting two of my three VeraCrypt machines this week. My daily driver Windows workstation is moving to BitLocker. My Linux laptop stays on LUKS (which was never affected by any of this). My third machine — a test rig — I am leaving on VeraCrypt with Secure Boot disabled, purely to track what happens when the June deadline hits.

If you do nothing else today, check whether your machines use VeraCrypt system encryption. Right-click the VeraCrypt tray icon and check System Encryption status. If it says active, you have a deadline, and that deadline is June 27, 2026.

I also updated my endpoint security checklist to include VeraCrypt status as a mandatory check item. You should too.

The Bigger Question Nobody Is Asking

How many other critical open-source tools are one locked account away from a crisis? OpenSSL, GPG, Signal dependencies — all of these touch proprietary infrastructure at some point. Signing certificates, app store accounts, cloud hosting providers. We built an entire ecosystem of free tools that are tethered to companies that can shut them down without a phone call.

Idrassi has been maintaining VeraCrypt essentially solo for years. One person. One account. Millions of encrypted machines. That was always a risk. Now it is a reality.

Keep your eyes on the official VeraCrypt SourceForge discussion thread for updates. And maybe start thinking about whether your encryption strategy has a single point of failure you have not noticed yet.