This is actually easier said than done. One of the major concerns is you don't want some dude with a security clearance taking work home with him. So a lot of effort goes into things like selinux being used to control what programs can access files.
Here you have a fundamental conflict. A root user can reconfigure the controls to allow access (that is absolutely necessary from a practical perspective), and so you end up having to trust the sysadmins.
Or you could set up other systems that would read the files, decrypt them only within special programs. Now you have two problems..... Moreover the sysadmin might be able to pull passphrases as they are typed, keys as they are uploaded, etc. It is not that easy to manage.
In the end a determined sysadmin can get the information and there isn't really a way you can lock him or her out fully.
A sufficiently careful one probably could for some time, especially if he was quite aware of what was checked and could work around such checks initially.
Here you have a fundamental conflict. A root user can reconfigure the controls to allow access (that is absolutely necessary from a practical perspective), and so you end up having to trust the sysadmins.
Or you could set up other systems that would read the files, decrypt them only within special programs. Now you have two problems..... Moreover the sysadmin might be able to pull passphrases as they are typed, keys as they are uploaded, etc. It is not that easy to manage.
In the end a determined sysadmin can get the information and there isn't really a way you can lock him or her out fully.