If you use an encrypted external SSD, you should periodically trim it. The first step would be to make sure the external drive itself supports trimming. The next step would be to make sure the LUKS partition on the device supports trimming as well. By default, encrypted filesystems do not support passing discard requests due to some security concerns. For example,
crypttab man page states:
WARNING: Assess the specific security risks carefully before enabling this option. For example, allowing discards on encrypted devices may lead to the leak of information about the ciphertext device (filesystem type, used space etc.) if the discarded blocks can be located easily on the device later.
For most users, the benefit of TRIM outweigh those security concerns. The easiest way to enable TRIM is to pass the
dicard option in
/etc/crypttab. For example:
cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks,discard
The problem with the
/etc/crypttab approach is that it requires you to pre-configure your external drives. A better approach would be to enable discards at the LUKS configuration, which would apply automatically whenever the drive is used. This can be done in LUKS version 2 headers.
# cryptsetup --allow-discards --persistent refresh luks-643dc0f7-c876-4e37-9207-5c053a75fc70
luks-643dc0f7-c876-4e37-9207-5c053a75fc70 is the name of the mapping for the encrypted drive. You can verify that
allow_discards is now part of the flag by dumping the LUKS header.
# cryptsetup luksDump /dev/sda4 | grep Flags Flags: allow-discard
Now, you should be able to use
fstrim to trim your external SSD with LUKS encryption drive.