Answer to your title = YES
Answer to your body question = NO
as an IT Manager, I can confidently answer your question with a no. It is not possible to prevent cypher keys from being stolen by bar or anyone else who have access to the server.
The only counter measure would be storing the keys on a different server but still needs someone who should keeps an eye on and guard. (which goes in a loop)
So in a conclusion, it's a matter of trust no more - the whole thing.
Extra
Anyone who have access to the specified server can decrypt whatever data on it assuming that the encryption keys are stored there too.
also note that a user who has access to the specified server (with unprivileged powers) can work it around using some local / shell exploits in order to get root privileges/access allowing him/her to manipulate and steal or view sensitive information / data, also can implement a backdoor for later on access.
It is impossible to remotely prevent such thing, because if i'm the sys admin of that server, means i have ssh access to it, means i can use an ssh tunnel to work and do the evil stuff behind the server's IP address, so nor firewalls nor anything can block me or prevent me from stealing whatever i want.