0

Background

I work for a company that leases medical testing devices to health clinics. These devices are not domain joined and are only accessible through our MDM solution. These devices connect to a web service which interfaces with these devices to manipulate the testing apparatus. As this is a web service, no sensitive PHI or PII of any kind is stored on the device, except for in memory. That is, nothing sensitive is ever written to disk.

A business decision came down recently to enable BitLocker on all of these devices. They are all running Windows (7 or 8.1) and all of them have a TPM module. (We did explain to the business that enabling BitLocker will not afford us anything, but I assume they want it for marketing purposes or something along those lines).

The Issue

Because of the quantity of our devices numbering in the thousands, I wish to make management for our technical support team as simple as possible. While doing some research on the Enable-BitLocker commandlet for PowerShell, I found an entry titled Enable BitLocker with a specified recovery key, including a command line entry and a short description.

This implies to me that it is possible to provide my own recovery key. As far as I understand it, every device requires its own unique recovery key, though using this encrypts the unique recovery key with the common recovery key, enabling the use of a single recovery key across the board.

I've tried to find more information on this elsewhere, though I've not found very much.

My Question

Is it possible to use a common recovery key across all of our devices? I suspect it is possible, assuming my interpretation of that commandlet is correct, though I have heard rumors and suspicions that this may require these devices to be joined to an Active Directory domain, which at this point is not possible.

Besides the security ramifications (where losing the common key allows decryption of all devices), are there any other concerns that I may need to explore further with implementing this solution, or perhaps things I have not considered that may make this solution either not possible or undesirable?

Foxtrek_64
  • 9
  • 1
  • 4
  • Maybe it's possible, but is it right? Security-wise? – ETL Feb 15 '19 at 21:31
  • `I've tried to find more information on this elsewhere, though I've not found very much.` There isn't anything else. A key from one computer can be used on another. `I have heard rumors and suspicions that this may require these devices to be joined to an Active Directory domain`. Really? Where? This would take about five minutes to test and validate. `are there any other concerns that I may need to explore?` Uh, if the devices are only accessible with an MDM, how would you use the key when you need it? – Greg Askew Feb 15 '19 at 21:39

1 Answers1

0

Yup can encrypt data with Bitlocker and a password, for example:

$SecurePassword = (Read-Host -AsSecureString)

Enable-Bitlocker -Mountpoint $DriveLetter -EncryptionMethod Aes256 -Password $SecurePassword -PasswordProtector -UsedSpaceOnly

This works for me in encrypting virtual disk files for offsite backup.... haven't tried it on a C drive on a desktop/laptop.

I would research a more comprehensive solution, the above is just for testing.

Mcafee and other 3rd party companies may have solutions as well for managing the keys in the cloud. Microsoft Azure I believe also has a way of managing keys in the cloud.

ErikW
  • 111
  • 2