I am looking at possibly using ecryptfs to encrypt the admin directory. Is this even possible without breaking access of some services? Would it cause conflicts with users clamav, www-data, dovecot, etc.? Most important goal is to find a way to encrypt the mail folders, and the more at rest stuff I can encrypt, the better.
I thought about full disk encryption with LUKS but that still leaves everything open to any user on the system that might gain elevated privileges, whereas directory filesystem encryption protects the data behind individual key per directory. It seems in my scenario that filesystem encryption would be much better than block device encryption.
If I find a good way to move forward I’ll do a writeup and post it.