QuantumLock Objects and Relationships

The quantumlock system is a group of interrelated objects (see the following diagram):

• QuantumLock user group: A set of Secret Server users that have access to a single quantumlock. This is not an object per se—it is the set of users assigned to a quantumlock object. Each user has a separate password via the quantumlock password object.
• QuantumLock object: A named object that is associated with one or more secrets and one or more users. QuantumLock objects, or simply quantumlocks, secure one or more secrets, and one or more quantumlock password objects provide access to it. The secrets themselves are encrypted with AES256, and are unlocked using the symmetric key provided by the quantumlock object.
• Quantumlock password object: An encrypted asymmetric password that is associated with one user. The same quantumlock password object, or simply quantumlock password, is used for all quantumlocks to which a user has access. Other users associated with the same quantumlock have their own quantumlock passwords. Once a user is assigned to a quantumlock, that user has access to any secret using that quantumlock, using the user's single quantumlock password.
  A quantumlock password has nothing to do with the user's Secret Server access password.
• Secret: A secret that has a single quantumlock assigned to it. Multiple secrets can have the same one assigned to them. The secret is encrypted with AES256, with its symmetric key provided by the quantumlock object, which is itself secured by one or more quantumlock passwords, which are encased by Kyber-1024 or RSA-2048.
• User: A Secret Server user, which can have a single quantumlock password assigned to it. Users are assigned to quantumlock objects.

Figure: QuantumLock Object Relationships