would be to first encrypt each document word-by-word (this can lead to really big documents because of paddings), then the client would transmit the document together with the encrypted words as plain text. In this way, the search engine indexes meaningless words which points to the encrypted documents (you can use two different algorithms and/or keys for word-by-word encryption and for documents). For searching your client encrypts the keywords (asking for the encryption key) and once you have a link you have to decrypt the document.
There should be some weak link in this chain, but I don't find any: be the first to claim my two cents.
Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"