hey @Fadi it's just not technically possible to protect a local file like that, you can only use a secure long master password for symmetric encryption, where a local keyfile can be used for extra entropy.
Totp/fido/email magic links/... are all features that can only be used when protecting an external service.
For your information, directly from the Bitwarden documentation: https://bitwarden.com/help/external-db/ if you self host it, you are just connecting to a Microsoft MSSQL database, so with the sa password you'll also have access to all your credentials (encrypted but just the same as having an enpass database). SQL server has features like TDE to encrypt data at rest, but they will also only protect the file outside the system, because if the SQL server didn't have the key to unlock it, some DBA would have to enter a password every time the database instance was restarted. And SQL server's Always Encrypted just moves the key outside the database instance, to the application layer, which will also need to know the key that is used.
FIDO U2F can not be used for symmetric encryption: https://security.stackexchange.com/a/105808/71765 which also makes sense, otherwise your whole database would be lost when it works like that, and they always recommend having a spare key, because they don't actually encrypt the data just provide a secure attestation certificate.
