It is perfectly legal for U.S. border agents to take your phone/laptop and clone it for later analysis. Technically, they can do this anywhere within 100 miles of a U.S. border, though I haven’t seen any reports of them attempting to do that (yet).
I personally consider it a huge overreach to be compelled to hand over a list of almost all the online accounts I have, along with my credentials for each one. It may be legal for now, but it should not be, in my opinion.
Can Bitwarden do anything to prevent extraction of that information from a clone of a device? e.g. by using a separate 2FA device to encrypt the store when it’s ‘at rest’?
It’s highly impractical to wipe & restore my phone twice, every time I travel. But it’s hard to trust a completely opaque organization with the track record of the U.S. government.
If your client is set to “NEVER LOCK” it saves your decryption keys to disk. So all your passwords would be compromised, but not your master password. (the master password is turned into a key, and the key can be stolen from disk, but the key can not be reversed into the master password again)
If you have anything else than never lock, then the key is only stored in memory for however many minutes you tell it to. But if you kill the process of the client (ie close your browser) then the key is gone and you need the master password to unlock it.
If you have your disk fully encrypted using an open source tool like cryptsetup for Linux, there is no way for them to decrypt unless you have a weak password or are forced to tell them it.
So the answer is “it depends on how you set it up. Bitwarden gives you the option to make it super insecure if you want convenience over all else. just don’t do that and you’ll be fine”