Microsoft has terminated an account associated with VeraCrypt, a popular and long-running piece of encryption software, throwing future Windows updates of the tool into doubt, VeraCrypt’s developer told 404 Media.
The move highlights the sometimes delicate supply chain involved in the publication of open source software, especially software that relies on big tech companies even tangentially.
“I didn’t receive any emails from Microsoft nor any prior warnings,” Mounir Idrassi, VeraCrypt’s developer, told 404 Media in an email.
VeraCrypt is an open-source tool for encrypting data at rest. Users can create encrypted partitions on their drives, or make individual encrypted volumes to store their files in. Like its predecessor TrueCrypt, which VeraCrypt is based on, it also lets users create a second, innocuous looking volume if they are compelled to hand over their credentials.
Last week, Idrassi took to the SourceForge forums to explain why he had been absent for a few months. The most serious challenge, he wrote, “is that Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader.”
“Regarding VeraCrypt, I cannot publish Windows updates. Linux and macOS updates can still be done but Windows is the platform used by the majority of users and so the inability to deliver Windows releases is a major blow to the project,” he continued. “Currently I’m out of options.”
Idrassi told 404 Media the termination happened in mid-January. “I was surprised to discover that I could no longer use my account,” he said.
On the forum and in the email to 404 Media, Idrassi shared what he said was the only message he received connected to the account shutdown. “Based on the information you have provided to date, we have determined that your organization does not currently meet the requirements to pass verification. There are no appeals available, we have closed your application,” it reads.
Idrassi told 404 Media the message is concerning his company IDRIX. “As you can read in their message, they say that the organization (IDRIX) doesn’t meet their requirements, but I don’t see which requirement IDRIX suddenly stopped meeting,” he said.
Idrassi said he has tried contacting Microsoft support, but he received automated responses that he believes contained AI-generated text. “This is frustrating because they could at least explain what’s wrong,” Idrassi said.
“The lack of communication by Microsoft when they take such decisions adds uncertainty about the future, combined with automated AI feedback which gives an inhuman aspect to such decisions,” Idrassi said.
According to a post on Hacker News, the popular VPN client WireGuard is facing the same issue. “No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended,” Jason Donenfeld, the creator of WireGuard, wrote.
Microsoft acknowledged a request for comment but did not provide a response in time for publication.