Help me understand the encryption process, I have some confusion

I have read all the articles related to encryption, also checked this tool [ Interactive Cryptography Page ].
There are two parts of output in this tool, first part is generating keys that are unique to my master password, second part is generating keys that are salted with an extra random value. Now for simplicity, lets just say first part of encryption key is Local Key, second one is Server Key (I’m assuming this is server vault key).

Now here is what I understand:

  1. We can always reproduce the same Local Key for a given Master Password, but we can’t reproduce the same Server Key from a Master Password since it’s salted with a random value.

  2. When we use “rotate encryption key” option without changing master password, we actually rotating the Server Key, not the Local Key (since Local Key is unique to master password).
    On the other hand, when we change master password without rotating encryption key, it produces new Local Key, but has no effect on Server Key.

  3. When we save something in BW, data is encrypted locally with the Local Key before sending to server, after server receives the encrypted data, it is then encrypted again with the Server Key and stored inside the web vault. (I’m not sure about the last part, correct me if I’m wrong)

If above points are correct, then here is what I don’t understand:

  1. If encryption happens locally with Local Key, why would rotating Server Key affect client app session?

  2. Isn’t changing master password should invalidate the session? since encryption happens on client side with an encryption key derived from master password.

I’m gonna stop here, because I think my assumptions are way off. Can someone explain me where I’m wrong and how exactly this process works, please?

At account creation, the BitWarden client app uses a random number generator to create your Generated Symmetric Key. This is the key which is used to encrypt your data.

Your Generated Symmetric Key is encrypted with your Stretched Master Key which is derived from your Master Password. The resulting key is called the Protected Symmetric Key. It is stored on the server, so that it can be returned to the BitWarden client app when syncing. So your Master Password is not used to encrypt your data, instead it is used to protect the key which encrypts your data.

  1. Decrypting your data requires a copy of the Protected Symmetric Key and your Master Password.

  2. When rotating the encryption key, you are rotating the Generated Symmetric Key. This is encrypted with your Stretched Master Key before saving on the server giving a new Protected Symmetric Key.

  3. Your data is only encrypted once with the Generated Symmetric Key. The BitWarden servers are likely using encrypted storage, but this is transparent to the BitWarden apps.

I’m not sure I understand the point about invalidating the session. The connection between server and client is encrypted using HTTPS and the keys for this are managed separately using certificates.

@galvanicanomaly I get it now. I was assuming my data is being encrypted with a derived key from my Master Password directly, that’s why i got confused that how does rotation works without changing Master Password.
I didn’t know actual encryption key (Symmetric Key) is stored on the server.
Thank you, it helped me understand all now.