Background
I work for a company that leases medical testing devices to health clinics. These devices are not domain joined and are only accessible through our MDM solution. These devices connect to a web service which interfaces with these devices to manipulate the testing apparatus. As this is a web service, no sensitive PHI or PII of any kind is stored on the device, except for in memory. That is, nothing sensitive is ever written to disk.
A business decision came down recently to enable BitLocker on all of these devices. They are all running Windows (7 or 8.1) and all of them have a TPM module. (We did explain to the business that enabling BitLocker will not afford us anything, but I assume they want it for marketing purposes or something along those lines).
The Issue
Because of the quantity of our devices numbering in the thousands, I wish to make management for our technical support team as simple as possible. While doing some research on the Enable-BitLocker commandlet for PowerShell, I found an entry titled Enable BitLocker with a specified recovery key, including a command line entry and a short description.
This implies to me that it is possible to provide my own recovery key. As far as I understand it, every device requires its own unique recovery key, though using this encrypts the unique recovery key with the common recovery key, enabling the use of a single recovery key across the board.
I've tried to find more information on this elsewhere, though I've not found very much.
My Question
Is it possible to use a common recovery key across all of our devices? I suspect it is possible, assuming my interpretation of that commandlet is correct, though I have heard rumors and suspicions that this may require these devices to be joined to an Active Directory domain, which at this point is not possible.
Besides the security ramifications (where losing the common key allows decryption of all devices), are there any other concerns that I may need to explore further with implementing this solution, or perhaps things I have not considered that may make this solution either not possible or undesirable?
Yup can encrypt data with Bitlocker and a password, for example:
This works for me in encrypting virtual disk files for offsite backup.... haven't tried it on a C drive on a desktop/laptop.
I would research a more comprehensive solution, the above is just for testing.
Mcafee and other 3rd party companies may have solutions as well for managing the keys in the cloud. Microsoft Azure I believe also has a way of managing keys in the cloud.