At account creation, the BitWarden client app uses a random number generator to create your Generated Symmetric Key. This is the key which is used to encrypt your data.
Your Generated Symmetric Key is encrypted with your Stretched Master Key which is derived from your Master Password. The resulting key is called the Protected Symmetric Key. It is stored on the server, so that it can be returned to the BitWarden client app when syncing. So your Master Password is not used to encrypt your data, instead it is used to protect the key which encrypts your data.
-
Decrypting your data requires a copy of the Protected Symmetric Key and your Master Password.
-
When rotating the encryption key, you are rotating the Generated Symmetric Key. This is encrypted with your Stretched Master Key before saving on the server giving a new Protected Symmetric Key.
-
Your data is only encrypted once with the Generated Symmetric Key. The BitWarden servers are likely using encrypted storage, but this is transparent to the BitWarden apps.
I’m not sure I understand the point about invalidating the session. The connection between server and client is encrypted using HTTPS and the keys for this are managed separately using certificates.