We enter the Username and Master Password into one way functions to create a salted hash. Since the function is one-way, even if someone were to get a hold of the salted hash, they would not obtain the Master Password.
What are PBKDF2-SHA256 rounds?
This is used to make the salted hash (result from above) even more complicated for an attacker. It increases the number of iterations it takes in order for someone to guess the password. Put this together with the one-way salted hash and we get an equation that looks something like:
The email and master password hash used to generate the encryption key is local. It is never transmitted. Key stretching is used to slow down brute force attacks if someone were to get a copy of an encrypted vault. It's not practical to use random salts at the local level.
There are additional hashing and key stretching operations performed locally to generate an authentication key.