Generally, if an encrypted filesystem/file is mounted it's contents become accessible to all users who have access to the folder (and root). I think the most feasible solution for your problem is:
- Use LUKS to create an encrypted filesystem
- Mount at boot time (or when you start the HTTP daemon)
- Do not put the key to the container on the box (it's a nuisance to enter the password every time, but a commonly made mistake)
- Change the directory permissions to 700
- Change the ownership to the webserver user (commonly
www-data
)
This will disallow anyone on the system (except www-data and root) to access the files.
If you really want to go for maximum security, you could script something like:
- When accessing the webpage, ask for the encrypted container password
- Mount the encrypted container
- Retrieve the necessary files
- Unmount the container
Keep in mind that mounting/unmounting is a very expensive operation, so your webpage would get really slow.