I don't know of a single-command way to do this. The GUI programs are doing a fair bit of interrogation of the disk to take the "right" approach and you'll need to do some of that work yourself. You don't need sudo, though, and I think the resulting sequence of events is relatively painless.
The Short Answer
Use udisksctl from the udisks2 package:
udisksctl unlock -b /path/to/disk/partition
udisksctl mount -b /path/to/unlocked/device
Your user account will need to be appropriately authorized in order for the above to work. On Debian and Ubuntu, that means adding your account to the plugdev group.
When you're done with the disk:
udisksctl unmount -b /path/to/unlocked/device
udisksctl lock -b /path/to/disk/partition
udisksctl power-off -b /path/to/disk/or/partition
How to Set Things Up
Here's how you can set things up (via the command line) to make the process of using the disk as painless as possible. I'll assume you want to use the entirety of the USB drive as a single filesystem. Other configurations will require modifications to the instructions. Caveat on variations: I haven't found a way to use LVM in the encrypted container that will allow an unprivileged account to disconnect everything. (I don't see a way to deactivate a volume group via udisksctl.)
For purposes of illustration, we'll say that the disk is /dev/sda. You'll need a name for the filesystem to make it easier to reference later. I'll use "example".
Partition the Disk
Run sudo parted /dev/sda and run the following commands:
mklabel gpt
mkpart example-part 1MiB -1s
quit
The mkpart command will probably prompt you to adjust the parameters slightly. You should be okay accepting its recommended numbers.
The partition will now be available via /dev/disk/by-partlabel/example-part.
Create and Mount the LUKS Partition
sudo cryptsetup luksFormat /dev/disk/by-partlabel/example-part
Go through the prompts.
sudo cryptsetup luksOpen /dev/disk/by-partlabel/example-part example-unlocked
The encrypted device is now available at /dev/mapper/example-unlocked. This is not going to be a permanent thing; it's just for the setup process.
Create Your Filesystem
Let's assume that the filesystem you're using is XFS. Pretty much any other traditional filesystem will work the same way. The important thing is to add a label that you can reference later:
sudo mkfs -t xfs -L example /dev/mapper/example-unlocked
The filesystem's block device can now be accessed via /dev/disk/by-label/example.
Set Filesystem Permissions
By default, the filesystem will be only accessible by root. In most cases, you probably want the files to be accessible by your user account. Assuming your account name is "user":
udisksctl mount -b /dev/disk/by-label/example
sudo chown user:user /media/user/example
Close Everything Down
udisksctl unmount -b /dev/disks/by-label/example
sudo cryptsetup luksClose example-unlocked
Use Your Filesystem
This is what you'll do regularly. After plugging in the USB drive,
udisksctl unlock -b /dev/disks/by-partlabel/example-part
udisksctl mount -b /dev/disks/by-label/example
If your user account is "user", the filesystem will now be mounted at /media/user/example.
To unmount the filesystem:
udisksctl unmount -b /dev/disks/by-label/example
udisksctl lock -b /dev/disks/by-partlabel/example-part
udisksctl power-off -b /dev/disks/by-partlabel/example-part
Now you can disconnect the USB drive.
Best Answer
It depends a little on the distribution you are using and what components are included by dracut in the initramfs.
For example, the
cryptdevice=option is interpreted by the encrypt hook. Thus, it's only relevant for initramfs images that include this hook.The disadvantage of
rd.luks.allow-discardsandrd.luks.allow-discards=is that it simply doesn't work. Thedracut.cmdline(7)description of these options is incorrect. I tested it under Fedora 26 where it doesn't work and there is even a bug report for Fedora 19 where this deviation between documented and actual behavior was discussed and it was closed as wont-fix.The
luks.options=andrd.luks.options=are more generic as you basically can place any valid crypttab option in there, e.g.discard. Since they are interpreted bysystemd-cryptsetup-generatorwhich doesn't care aboutcryptdevice=you can't expect a useful interaction between these options.Note that
luks.options=only has an effect for devices that aren't listed in the initramfs image'setc/crypttabfile.Thus, to enable dm-crypt pass-though SSD trim support (a.k.a. discard) for dm-crypted devices opened during boot you have 2 options:
rd.luks.options=discardto the kernel command line and make sure that the initramfs image doesn't include aetc/crypttab/etc/crypttaband make sure that the current version is included in the initramfs image.You can use
lsinitrd /path/to/initramfs etc/crypttabfor checking the initramfs image,dracut -v -f /path/to/initramfs-imagefor regenerating the image after changes to/etcanddmsetup tableto see whether the crypted device was actually opened with the discard option (the relevant entries should include the stringallow_discardsthen).