The steps are quite simple.
Obtain the device path e.g. /dev/sdy (substitute the path with your device)
All commands are run as root (either su or sudo) - when flash based device - use a filesystem designed for flash - f2fs.
sgdisk --zap-all /dev/sdy
sgdisk --mbrtogpt /dev/sdy
sgdisk --new 1::: --typecode 1:8300 /dev/sdy
wipefs -af /dev/sdy1
cryptsetup --type luks2 --tries 5 --use-urandom luksFormat /dev/sdy1
cryptsetup open /dev/sdy1 cryptroot
mkfs.f2fs /dev/mapper/cryptroot
cryptsetup close /dev/mapper/cryptroot
For a two partition disk - one encrypted (decrypt linux only) - the other not (windows readable) - you specify the size of the first partition and add one more to occupy the remaining space - remember the Windows readable partition must be the first partition - example is a 16G stick - split in halves - adjust according to your use-case
sgdisk --zap-all /dev/sdy
sgdisk --mbrtogpt /dev/sdy
sgdisk --new 1::+8G --typecode 1:0700 /dev/sdy
sgdisk --new 2::: --typecode 2:8300 /dev/sdy
wipefs -af /dev/sdy1
wipefs -af /dev/sdy2
mkfs.exfat /dev/sdy1
cryptsetup --type luks2 --tries 5 --use-urandom luksFormat /dev/sdy2
cryptsetup open /dev/sdy2 cryptroot
mkfs.f2fs /dev/mapper/cryptroot
cryptsetup close /dev/mapper/cryptroot
To open the device select it in dolphin side pane → removable device → input passphrase when challenged.
Or manually in terminal (command is for the first example)
sudo cryptsetup open /dev/sdy1 cryptroot
Input passphrase
Then mount the device.
sudo mount /dev/mapper/cryptroot /mnt
Remember that /mnt is a temporary mountpoint - if you need a static mountpoint create the necessary mount units .
Lastly you can use ventoy to create a bootable USB with an extra partition to hold your encrypted data. The first partition serves as a place for any bootable ISO (your favorite Linux) and also Windows readable while the second holds your encrypted data - decryptable when you boot a system from stick.