I have read all the articles related to encryption, also checked this tool [ Interactive Cryptography Page ].
There are two parts of output in this tool, first part is generating keys that are unique to my master password, second part is generating keys that are salted with an extra random value. Now for simplicity, lets just say first part of encryption key is Local Key, second one is Server Key (I’m assuming this is server vault key).
Now here is what I understand:
We can always reproduce the same Local Key for a given Master Password, but we can’t reproduce the same Server Key from a Master Password since it’s salted with a random value.
When we use “rotate encryption key” option without changing master password, we actually rotating the Server Key, not the Local Key (since Local Key is unique to master password).
On the other hand, when we change master password without rotating encryption key, it produces new Local Key, but has no effect on Server Key.
When we save something in BW, data is encrypted locally with the Local Key before sending to server, after server receives the encrypted data, it is then encrypted again with the Server Key and stored inside the web vault. (I’m not sure about the last part, correct me if I’m wrong)
If above points are correct, then here is what I don’t understand:
If encryption happens locally with Local Key, why would rotating Server Key affect client app session?
Isn’t changing master password should invalidate the session? since encryption happens on client side with an encryption key derived from master password.
I’m gonna stop here, because I think my assumptions are way off. Can someone explain me where I’m wrong and how exactly this process works, please?