I’m using Bitwarden with hardware U2F exclusively for recovery codes and other sensitive stuff that I don’t want on my regular password manager.
I’m logging in via the web vault to add/retrieve the data I need and log off immediately after that.
Let’s consider that my bitwarden web vault session has been logged of. My question is, if an attacker gains access to my PC and has my bitwarden password (through a sniffer or from my other password manager), will he be able to decrypt and/or retrieve my bitwarden data or it’s only decrypted once my U2F key is inserted and verified?
The web vault will NOT allow anyone to access or download your vault from the cloud without the needed U2F key. When you log out completely what you need is now completely in the Azure Cloud. However; from a security point of view when your vault is open and active an infected computer may allow access. That is true of ANY software bundle. If a hacker has pwn’d your machine anything is possible where open and running software is in play.
Beware though that there is always an alternate method for logging into your web vault, needed in case of loss of the 2FA device. IF your alternate method is via email AND the attacker having access to your PC gets to the inbox of that email address, THEN you’re in trouble.
Bitwarden offers a 32 digit account specific reset code, which you should write down and store somewhere NOT on your online machines. With the 32 digit code you can gain access from any computer in the world. This is the only safe backup for a U2F chip. Any other options are too lax for consideration - my opinion.
The other obvious thing is that U2F chips are cheap and you can authenticate multiples for your account. Storing a spare pre-authenticated U2F is what I do, along with the reset code.