The term for the concept is forward secrecy, or often "perfect forward secrecy". It seems like magic to me, too, and I'll probably be reviewing the basics tonight. I couldn't begin to tell you how the trick is accomplished.

Somehow, an attacker can have your whole conversation log (encrypted), including the key exchange, and be unable to retrieve the key used, even if he has the credentials you used at the time the key was generated.

The real crux of the question may be, "How does Diffie-Hellman work?" (Well known key exchange method.)

Yes, I understand PFS, ratcheting and all that. But you're talking about stuff captured off the wire. And yes, that can be protected with PFS. Even OpenVPN does that. But I thought that we were talking about devices and stuff stored on them. Even if all transport had PFS, devices and encrypted files all have passphrases and/or secret keys.