The title says it all. I know the Linux kernel has a key retention service (https://docs.kernel.org/security/keys/core.html) even though I haven't used it myself. I'm constructing a system where anybody with root cannot check the keys in that service that were registered by plain users. Assuming the kernel was preconfigured (and verified at boot time) so that root is properly restricted (e.g., cannot investigate memory, etc), what would be a way to prevent the root access to the user keys in that service?

I know the Linux kernel has a key retention service even though I haven't used it myself. 

I'm constructing a system where anybody with root cannot check the keys in that service that were registered by plain users. Assuming the kernel was preconfigured (and verified at boot time) so that root is properly restricted (e.g., cannot investigate memory, etc), what would be a way to prevent the root access to the user keys in that service?