While messing around with my multi-boot system and custom secure boot private key infrastructure, I observed that the bootloader files of VeraCrypt are still signed by Microsoft Corporation UEFI CA 2011.
root@aurora /e/w/E/VeraCrypt # sbverify --list DcsBoot.efi
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
This particulary certificate will become invalid on 27.06.2026.
I therefore propose, that the bootloader files are getting resigned by Microsoft via their latest Microsoft UEFI CA 2023 and installed on (compatible) systems with a VeraCrypt update (see my notes below).
This comes of course not without any side effects
- Systems, that do not have the latest Microsoft certificates enrolled in their UEFI firmware will reject the bootloader
- But Windows (in principle) enrolls these certificates automatically into the 'db' allowlist , as Microsoft generally has a key-exchange-key (KEK) enrolled on most UEFI systems for exactly that case. (But I did not test, if a Windows Update already did that)
- However, the KEK of Microsoft will become invalid on 27.06.2026 too. The KEK itself cannot be updated by a Windows update, as it is signed by the the platform key (PK) of the motherboards manufacturer. An UEFI update by the motherboard manufacturere will be required at that point.
Before blindly installing the new bootloader files on a system, VeraCrypt should check, if the required certificates are already enrolled and if not, default back to the (current) bootloader files + warn the user, that action is required (UEFI update).
While messing around with my multi-boot system and custom secure boot private key infrastructure, I observed that the bootloader files of VeraCrypt are still signed by
Microsoft Corporation UEFI CA 2011.This particulary certificate will become invalid on 27.06.2026.
I therefore propose, that the bootloader files are getting resigned by Microsoft via their latest
Microsoft UEFI CA 2023and installed on (compatible) systems with a VeraCrypt update (see my notes below).This comes of course not without any side effects
Before blindly installing the new bootloader files on a system, VeraCrypt should check, if the required certificates are already enrolled and if not, default back to the (current) bootloader files + warn the user, that action is required (UEFI update).