Microsoft Just Killed VeraCrypt's Windows Account — And Won't Say Why

Microsoft just terminated the developer account behind VeraCrypt, the open-source disk encryption tool used by millions. No real explanation. No warning. Just a locked door and a vague reference to terms of service. It’s a stark reminder of what happens when critical open-source infrastructure depends on a single platform gatekeeper.

What happened

VeraCrypt’s Microsoft account — the one used to sign Windows kernel drivers through the Windows Hardware Dev Center — was abruptly shut down. This wasn’t some throwaway email login. It was the key to the entire Windows distribution pipeline.

To ship a kernel-level driver on Windows, you need Microsoft’s signature. Without it, VeraCrypt can’t release new versions. It can’t push compatibility patches for Windows updates. The project’s Windows pipeline is effectively frozen.

Why code signing is existential for disk encryption

Most apps can get away without a signature. Users click through a warning dialog and move on. VeraCrypt doesn’t have that luxury.

Full-disk encryption requires a kernel driver that hooks deep into the Windows boot process. Windows flatly refuses to load unsigned kernel drivers. With Secure Boot enabled — which is the default on most modern machines — an unsigned driver means the system may not boot at all.

No Microsoft signature, no working VeraCrypt on Windows. It’s that simple. The platform holder has a kill switch, and they just used it.

Nobody knows why

Here’s the part that should bother you. Microsoft hasn’t given a specific reason for the termination. Just a boilerplate “terms of service violation” notice.

VeraCrypt has been around since 2014, picking up where TrueCrypt left off. It has passed multiple independent security audits, including one funded by the EU’s FOSSA initiative. There’s no history of malware distribution, no license violations, no scandals. Over a decade of clean operation.

Terminating an account like that with zero transparency isn’t a technical issue. It’s a due process issue.

Open source on someone else’s platform is a tenancy, not ownership

This pattern keeps repeating. Google suspends Play Store developer accounts without meaningful recourse. The left-pad incident in 2017 showed how a single deleted npm package could break builds worldwide. GitHub restricted repositories for developers in sanctioned countries. Every few years, the same lesson arrives wearing a different outfit.

VeraCrypt’s code is open. Anyone can read it, audit it, fork it. But for that code to actually reach Windows users, it has to pass through Microsoft’s gate. When the gatekeeper decides to close the gate — for reasons they won’t disclose — the openness of the source code is irrelevant.

The code is free. The distribution channel is not.

What VeraCrypt users should do right now

If you’re running VeraCrypt on Windows today, don’t panic. Your existing installation still works. But keep an eye on major Windows updates — without signed driver patches, compatibility could break down the line.

On Linux, none of this matters. VeraCrypt works fine without Microsoft’s blessing, which rather neatly illustrates that the problem was never VeraCrypt’s technology. It’s platform dependency.

The VeraCrypt team is reportedly exploring alternative signing paths, but the reality of Windows kernel driver requirements makes fully bypassing Microsoft nearly impossible.

The real question

A tool built to protect privacy and security now depends on a platform vendor that can disable it at will. VeraCrypt is used by journalists, human rights activists, and enterprises handling sensitive data. Having its distribution controlled by a single company’s discretion goes beyond inconvenience.

This is worth sitting with: should the tools we rely on for digital security be subject to one corporation’s unilateral, unexplained decisions? Open source was supposed to mean no single point of failure. But when the platform is the bottleneck, open source alone isn’t enough.